[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]







         COMPUTER SECURITY: CYBER ATTACKS--WAR WITHOUT BORDERS

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                      INFORMATION, AND TECHNOLOGY

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 26, 2000

                               __________

                           Serial No. 106-252

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform

                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
74-152 DTP                  WASHINGTON : 
2001
_______________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Printing 
                                 Office
Internet: bookstore.gpo.gov  Phone: (202) 512-1800  Fax: (202) 512-2250
               Mail: Stop SSOP, Washington, DC 20402-0001




                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
STEPHEN HORN, California             PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida                PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia            CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana           ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
JOE SCARBOROUGH, Florida             CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South     DENNIS J. KUCINICH, Ohio
    Carolina                         ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia                    DANNY K. DAVIS, Illinois
DAN MILLER, Florida                  JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas             JIM TURNER, Texas
LEE TERRY, Nebraska                  THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois               HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon                  JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California                             ------
PAUL RYAN, Wisconsin                 BERNARD SANDERS, Vermont 
HELEN CHENOWETH-HAGE, Idaho              (Independent)
DAVID VITTER, Louisiana


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
                     James C. Wilson, Chief Counsel
                        Robert A. Briggs, Clerk
                 Phil Schiliro, Minority Staff Director
                                 ------                                

   Subcommittee on Government Management, Information, and Technology

                   STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois               JIM TURNER, Texas
THOMAS M. DAVIS, Virginia            PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon                  MAJOR R. OWENS, New York
DOUG OSE, California                 PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin                 CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
                Bonnie Heald, Director of Communications
                           Bryan Sisk, Clerk
                    Trey Henderson, Minority Counsel




                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 26, 2000....................................     1
Statement of:
    Molander, Roger, senior research, RAND; and John Pescatore, 
      vice president and research director, Network Security, 
      Gartner Group..............................................   152
    Schaeffer, Richard C., Jr., Director, Infrastructure and 
      Information Assurance, Office of the Assistant Secretary of 
      Defense (Command, Control, Communication, and 
      Intelligence); Mario Balakgie, Chief Information Assurance 
      Officer, Defense Intelligence Agency, Department of 
      Defense; and Jack Brock, Director, Governmentwide and 
      Defense Information Systems, U.S. General Accounting Office   109
    Spotila, John T., Administrator, Office of Information and 
      Regulatory Affairs, Office of Management and Budget........    49
    Vatis, Michael, Director, National Infrastructure Protection 
      Center, Federal Bureau of Investigation; Juris Reksna, 
      chief of State Police, Ministry of Internal Affairs, 
      Latvia; Stefan Kronqvist, chief, Computer Crime Unit, 
      National Crime Investigation Department, Sweden; Juergen 
      Maurer, detective chief superintendent, German Federal 
      Police Office; Elfren L. Meneses, Jr., Anti-Fraud and 
      Computer Crimes Division, National Bureau of Investigation, 
      Philippines; Ohad Genis, advocate, chief inspector, 
      National Unit for Fraud Investigations, Israel Police; and 
      Edgar A. Adamson, chief, U.S. National Central Bureau--
      Interpol...................................................     9
Letters, statements, etc., submitted for the record by:
    Adamson, Edgar A., chief, U.S. National Central Bureau--
      Interpol, prepared statement of............................    87
    Balakgie, Mario, Chief Information Assurance Officer, Defense 
      Intelligence Agency, Department of Defense, prepared 
      statement of...............................................   118
    Brock, Jack, Director, Governmentwide and Defense Information 
      Systems, U.S. General Accounting Office, prepared statement 
      of.........................................................   130
    Davis, Hon. Thomas M., a Representative in Congress from the 
      State of Virginia, prepared statement of...................     6
    Genis, Ohad, advocate, chief inspector, National Unit for 
      Fraud Investigations, Israel Police, prepared statement of.    82
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California, prepared statement of.................     3
    Kronqvist, Stefan, chief, Computer Crime Unit, National Crime 
      Investigation Department, Sweden, prepared statement of....    36
    Maurer, Juergen, detective chief superintendent, German 
      Federal Police Office, prepared statement of...............    43
    Meneses, Elfren L., Jr., Anti-Fraud and Computer Crimes 
      Division, National Bureau of Investigation, Philippines, 
      prepared statement of......................................    70
    Molander, Roger, senior research, RAND, prepared statement of   154
    Pescatore, John, vice president and research director, 
      Network Security, Gartner Group, prepared statement of.....   161
    Reksna, Juris, chief of State Police, Ministry of Internal 
      Affairs, Latvia, prepared statement of.....................    26
    Schaeffer, Richard C., Jr., Director, Infrastructure and 
      Information Assurance, Office of the Assistant Secretary of 
      Defense (Command, Control, Communication, and 
      Intelligence), prepared statement of.......................   111
    Spotila, John T., Administrator, Office of Information and 
      Regulatory Affairs, Office of Management and Budget, 
      prepared statement of......................................    52
    Turner, Hon. Jim, a Representative in Congress from the State 
      of Texas, prepared statement of............................     5
    Vatis, Michael, Director, National Infrastructure Protection 
      Center, Federal Bureau of Investigation, prepared statement 
      of.........................................................    12

 
         COMPUTER SECURITY: CYBER ATTACKS--WAR WITHOUT BORDERS

                              ----------                              


                        WEDNESDAY, JULY 26, 2000

                  House of Representatives,
Subcommittee on Government Management, Information, 
                                    and Technology,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:02 a.m., in 
room 2157, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn, Davis, Turner, and Maloney.
    Also present: Tatjana Antonova, Latvian interpreter.
    Staff present: J. Russell George, staff director and chief 
counsel; Ben Ritt, GAO detailee; Bonnie Heald, director of 
communications; Bryan Sisk, clerk; Elizabeth Seong, staff 
assistant; Will Ackerly and Davidson Hulfish, interns; Trey 
Henderson, minority counsel; and Jean Gosa, minority clerk.
    Mr. Horn. A quorum being present, the hearing of the House 
Subcommittee on Government Management, Information, and 
Technology will come to order.
    I apologize for being a little late. It's the first time it 
has happened, but we had a party conference this morning and we 
got a new Member, so that takes a little time. That is Mr. 
Marty Martinez, who switched parties to come with us because he 
wanted common sense government.
    From the ``ILOVEYOU'' virus to attempts to enter the space 
shuttle's communication system, cyber attacks are on the rise. 
Every day new viruses and attempted intrusions bombard vital 
computer systems and networks within U.S. Government agencies 
and private industries. Sometimes the attackers are simply 
seeking the thrill of breaking into a supposedly secure system. 
Other times, however, the motive is far more sinister--
vandalism, industrial espionage, intelligence collection, or 
creating a doorway for a future attack. As the ``ILOVEYOU'' 
virus clearly demonstrated, these attacks can originate from 
nearly anywhere in the world.
    Many experts say this is only the tip of the iceberg in 
terms of the number of attacks, their sophistication and their 
destructiveness. In the United States and in many other 
countries, law enforcement agencies and private organizations 
collect and share information on these worldwide computer 
attacks. However, not all countries have the capability to 
detect them, warn others, or even prosecute the hackers once 
they have been identified.
    In the United States, the Federal Bureau of Investigation 
and the Departments of Commerce and Defense all have a role in 
tracking and investigating cyber attacks. Many other agencies 
and private organizations also track and share this critical 
information. Other countries also have law enforcement agencies 
and organizations set up to investigate and share cyber attack 
information. But among the variety of players, who is 
coordinating an efficient, effective response to this 
international problem?
    Today, we will examine the challenges of coordinating these 
cyber attack investigations. Our witnesses represent cyber 
crime investigation units in several countries, including the 
United States. They will discuss their experiences. There is a 
great need for a sharing of these experiences daily, weekly and 
at least monthly. Alliances such as the North Atlantic Treaty 
Organization should work together if we will be able to win 
these cyber wars.
    We welcome each of our witnesses. We appreciate many of you 
that have taken a long journey to come here, and we look 
forward to the testimony you will submit, and it will be put 
through the processes to go to the full House of 
Representatives after this and other hearings have come by.
    So we will now turn to the ranking member, the gentleman 
from Texas, Mr. Turner, for an opening statement.
    [The prepared statement of Hon. Stephen Horn follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.001
    
    Mr. Turner. Thank you, Mr. Chairman. We know that the 
United States and many industrialized nations now depend on the 
interconnected computer system that we call the Internet. We 
know that it supports critical operations in the private sector 
as well as government. And we understand that the increased 
reliance upon the Internet has caused us to be highly 
vulnerable to cyber attacks.
    These cyber attacks know no boundaries and can occur from 
anywhere in the world. I had the opportunity to visit with some 
members of the European Parliament a few weeks ago and it came 
home to me how much we have in common in terms of trying to 
deal with the new systems that are in place upon which we all 
know we depend for our very livelihood.
    It is important for law enforcement agencies throughout the 
world to work cooperatively in the defense against those who 
would perpetuate computer crimes. And in order to more 
effectively fight this battle, we need to coordinate our 
information sharing and cooperate as an international community 
to be sure that we are protecting our citizens and our 
livelihoods.
    This committee has had three hearings now on this subject 
and many of you on the panel today have traveled long distances 
to come and share your thoughts with us, for which we are 
extremely appreciative and grateful. I look forward to hearing 
from each of you, and I hope that this can be a part of our 
continuing effort to work nation to nation to ensure that we 
can defend against cyber attacks and protect the security of 
our systems.
    Thank you, Mr. Chairman.
    [The prepared statements of Hon. Jim Turner and Hon. Thomas 
M. Davis follow:]
[GRAPHIC] [TIFF OMITTED] T4152.002

[GRAPHIC] [TIFF OMITTED] T4152.003

[GRAPHIC] [TIFF OMITTED] T4152.004

[GRAPHIC] [TIFF OMITTED] T4152.005

    Mr. Horn. We thank you very much for all you have done to 
pursue some of these real questions and we appreciate that.
    We are now turning to the witnesses. We are notified that 
we might have to recess for the first vote of the day, and that 
is one of the problems we have when we are in the middle of a 
hearing where we would rather keep going. Our duty is to get 
over to the floor and get back. So that might happen around 
10:30. So I would like to begin with this panel.
    The way this operation works with all presentations, since 
it is an investigating committee, is that we swear all the 
witnesses in on a truth oath. And we will call--when we call on 
you based on the agenda, the full written statement of yours 
and the resume goes into the record so we don't have to hear 
the paper you gave us read. We like you to summarize it because 
that way it permits a dialog within the panel as well as the 
Members who will be here.
    So we do not want you to really read your work; just 
summarize it for us. We will now ask to you stand and raise 
your right hands.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note that all the witnesses have 
taken the oath.
    We start with Mr. Michael Vatis, the Director, National 
Infrastructure Protection Center of the Federal Bureau of 
Investigation. Mr. Vatis.

STATEMENTS OF MICHAEL VATIS, DIRECTOR, NATIONAL INFRASTRUCTURE 
   PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION; JURIS 
 REKSNA, CHIEF OF STATE POLICE, MINISTRY OF INTERNAL AFFAIRS, 
LATVIA; STEFAN KRONQVIST, CHIEF, COMPUTER CRIME UNIT, NATIONAL 
    CRIME INVESTIGATION DEPARTMENT, SWEDEN; JUERGEN MAURER, 
 DETECTIVE CHIEF SUPERINTENDENT, GERMAN FEDERAL POLICE OFFICE; 
    ELFREN L. MENESES, JR., ANTI-FRAUD AND COMPUTER CRIMES 
 DIVISION, NATIONAL BUREAU OF INVESTIGATION, PHILIPPINES; OHAD 
   GENIS, ADVOCATE, CHIEF INSPECTOR, NATIONAL UNIT FOR FRAUD 
  INVESTIGATIONS, ISRAEL POLICE; AND EDGAR A. ADAMSON, CHIEF, 
             U.S. NATIONAL CENTRAL BUREAU--INTERPOL

    Mr. Vatis. Thank you, Mr. Chairman, Congressman Turner; I 
very much appreciate the opportunity to testify before you 
today, particularly in the presence of so many of my 
international colleagues. I am not aware of any previous 
hearing that has had so many international law enforcement 
officials together in one place, especially on an issue where 
international cooperation is so vital to our success. So I 
applaud the committee for holding this hearing in this manner.
    As you know, the National Infrastructure Protection Center 
was set up in February 1998 and authorized by Presidential 
Decision Directive 63 to serve as the government's focal point 
for collecting information about cyber threats and attacks, 
analyzing that information, issuing pertinent warnings to both 
government agencies and private industry, and also coordinating 
the government's response to attacks that do occur.
    That mission requires cooperative arrangements with a 
variety of entities, both governmental and in the private 
sector. We need to have close relationships with other Federal 
agencies, with State and local law enforcement, with the 
private sector owners and operators of the Nation's critical 
infrastructures and, most pertinent to this hearing, with our 
foreign law enforcement counterparts, and we try to achieve 
those cooperative arrangements through a variety of mechanisms.
    With other Federal agencies, the first mechanism is by 
having those agencies represented in the NIPC, which is, while 
located at FBI, an interagency center. So we have numerous 
representatives from various components of the Department of 
Defense, from the Intelligence Community, from the Department 
of Commerce, and from other agencies as well.
    We also have State and local law enforcement 
representation, as well as foreign liaison representation. That 
interagency composition allows us to coordinate more 
effectively when there is an incident or when there is the 
requirement to share information across agencies and with the 
private sector as well.
    We also reach out to the private industry through a variety 
of outreach initiatives, including our InfraGard program, which 
is an initiative to share information about incidents in a two-
way fashion, both so industry can share information with us 
that they become aware of and so we can share information with 
them about incidents that we become aware of through law 
enforcement or intelligence means.
    In addition, we reach out to our private industry 
counterparts through various conferences and outreach 
initiatives to try to generate awareness and to convince them 
of the need to raise security in general, because even with all 
of our warning efforts, if we do not have better security there 
is no way we can really make headway against this problem. The 
situation right now is such that vulnerabilities are so rampant 
throughout the Internet that until the bar is raised against 
attacks, all of the government's efforts really would be 
wasted. So we are trying to work in tandem with the private 
sector to encourage it to raise the level of security while 
also improving our ability in the government to respond to 
attacks and issue warnings effectively.
    Finally, with regard to foreign law enforcement, I think it 
is commonly understood now that in the area of cyber crime, 
foreign cooperation is absolutely critical because the Internet 
knows no boundaries. It is as easy to launch an attack from a 
foreign country as it is from within the United States. And as 
a result, we are increasingly finding that our investigations 
lead us to foreign countries, where we have to seek the 
assistance and cooperation of the domestic law enforcement 
agency because we don't have the authority or the capability to 
conduct searches or witness interviews or electronic 
surveillances in a foreign country. So international 
cooperation is absolutely critical.
    We have had a number of cases over the last 2 years which 
have demonstrated, I think, a great improvement in our ability 
to coordinate with foreign countries. In 1998, we had the Solar 
Sunrise incident, which involved wide scale intrusions into 
Department of Defense computer networks. We tracked down the 
intruders with the assistance of the Israeli National Police 
and identified two juveniles in the United States and several 
individuals in Israel who were responsible for those 
intrusions.
    This year, we had the arrest of an individual in the United 
Kingdom who had broken into Web sites and stolen credit card 
numbers and posted many of those numbers on a Web site. That 
case was successfully resolved because of close cooperation 
between the FBI and a local Welsh police service.
    We also had most notably the denial of service attacks in 
February of this year--many of those attacks have been 
attributed to a juvenile in Canada--based in large part on very 
close working relationships between the FBI and the Royal 
Canadian Mounted Police.
    And then finally we had the ``Love Bug,'' or ``ILOVEYOU'' 
virus in May of this year. And in that case too, a suspect was 
identified in the Philippines really with unprecedented speed, 
based again on the very close working relationship between the 
FBI and the Philippines National Bureau of Investigation.
    So I think all of those major successes demonstrate that we 
have made a great deal of progress in improving coordination 
with foreign law enforcement agencies. There is clearly a long 
way to go because there are so many countries in the world, and 
as we see the Internet continue to expand we're not going to 
need cooperation just from our close allies within the G-8 or 
within European countries and our traditional allies in Asia, 
but we are going to need more cooperation from countries that 
we have not traditionally worked together with, and that will 
pose even more challenges as we try to continue to expand our 
network of contacts.
    So I look forward to answering any questions that you have, 
but I think that sums up the situation from the U.S. 
perspective.
    [The prepared statement of Mr. Vatis follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.006
    
    [GRAPHIC] [TIFF OMITTED] T4152.007
    
    [GRAPHIC] [TIFF OMITTED] T4152.008
    
    [GRAPHIC] [TIFF OMITTED] T4152.009
    
    [GRAPHIC] [TIFF OMITTED] T4152.010
    
    [GRAPHIC] [TIFF OMITTED] T4152.011
    
    [GRAPHIC] [TIFF OMITTED] T4152.012
    
    [GRAPHIC] [TIFF OMITTED] T4152.013
    
    [GRAPHIC] [TIFF OMITTED] T4152.014
    
    [GRAPHIC] [TIFF OMITTED] T4152.015
    
    [GRAPHIC] [TIFF OMITTED] T4152.016
    
    [GRAPHIC] [TIFF OMITTED] T4152.017
    
    Mr. Horn. Well, thank you very much. We appreciate that, 
Mr. Vatis.
    Our next witness has traveled a long way to come here, so 
we are going to listen very carefully to the gentleman's 
testimony. It is Mr. Juris Reksna, chief of the State Police, 
Ministry of Internal Affairs in Latvia. He is accompanied by a 
translator, Tatjana Antonova. And we thank you very much for 
coming and sharing your information with us.
    [Note.--The following testimony was delivered through an 
interpreter.]
    Mr. Reksna. Mr. Chairman and members of the subcommittee, I 
am honored here to represent the Republic of Latvia and I would 
like to express my gratitude for the invitation to participate 
in this hearing. The Latvian police and FBI cooperation has 
been extensive and has helped investigations in the U.S.A., 
resulting in the identification of violent criminals and the 
recovery of substantial amounts of funds for possible return to 
victims of crime in the U.S.A.
    The cooperation increases every day, and the training that 
was provided by FBI and other U.S.A. law enforcement agencies 
has helped greatly. The funds, 500,000 U.S. dollars, provided 
by the U.S.A. Congress to Latvia for the purchase of equipment 
to fight organized crime, will allow Latvia to move into the 
cyber age more rapidly and to allow for the examination and 
analysis of data, and this will assist the U.S.A. in addressing 
crimes which have truly become transnational and the attempt to 
use Latvian banks on the Internet to escape detection.
    The fight against cyber crimes is the responsibility of the 
criminal police of Latvia, which is a part of the National 
State Police. Three percent of our cases have international 
components. Most are threats that are being sent through 
anonymous Internet servers that are located outside the 
territory of Latvia, as well as attempts of hackers to break 
into financial institution computer systems.
    As my time is limited, I will ask my interpreter to read 
the recent cases during the 2 years that took place in Latvia.
    These are the synopses of criminal cases that have taken 
place: The so-called Terrorist Victor case. In March 1997, 
information was received about an explosive device placed in a 
shop. The police had neutralized this device. Shortly after 
that, e-mail threats have been sent by an anonymous person who 
called himself Victor, claiming to continue terrorist acts and 
demanding ransom.
    As a result of investigation it was determined that Victor 
telephoned from a mobile phone that was illegally connected to 
the networks of Sweden, Norway and Finland. As a result of 
joint efforts made by law enforcement agencies from Sweden, 
Norway, Finland, Estonia, Austria, Russia, the U.S.A., Victor 
was identified. He was sentenced for 7 years in prison.
    In the Lowes Home Improvement Center bombing case in North 
Carolina an individual planted several explosive devices in the 
stores which exploded and injured five persons. The criminal 
demanded money from the company and stated it should be wired 
to Paritate Bank in Latvia. The Latvian police, in coordination 
with the FBI LEGAT and the FBI office in Charlotte, NC, were 
able to track telephone calls, provide information on the 
account holder in the U.S.A. and his use of the bank's Internet 
banking service, which he thought would be difficult to trace 
because of the Internet and the location of the bank in Latvia.
    The case of ``stockgeneration.com'' is worth mentioning as 
well. This pyramid scheme using the Internet was having money 
wired to Rietumu Bank in Latvia and attempted then to wire 
transfer it to accounts in Russia and elsewhere. The case is 
ongoing and being worked in conjunction with LEGAT Tallinn, the 
Boston division of the FBI, the Securities and Exchange 
Commission in Boston, and the Internal Revenue Service. 
Cooperation between the United States and Latvia and Estonia 
has resulted in the freezing of $5.5 million for potential 
return to U.S. victims.
    Cyber crimes have really become transnational. Therefore, 
the following measures should be taken urgently to ensure our 
success in battling cyber crimes.
    Joint international training in order to improve 
international response to cyber intrusions; close cooperation 
is necessary with all the partners on an international and 
national level in order to prevent and investigate cyber crimes 
more effectively; we should continue to develop and improve the 
current legislation in this issue; the Internet has become a 
major aspect of everyday life for the world's society. That is 
why international cooperation, mutual understanding and support 
is vitally important in order to improve our capabilities to 
locate and identify criminals.
    Thank you for your attention.
    [The prepared statement of Mr. Reknsa follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.018
    
    [GRAPHIC] [TIFF OMITTED] T4152.019
    
    [GRAPHIC] [TIFF OMITTED] T4152.020
    
    [GRAPHIC] [TIFF OMITTED] T4152.021
    
    [GRAPHIC] [TIFF OMITTED] T4152.022
    
    [GRAPHIC] [TIFF OMITTED] T4152.023
    
    [GRAPHIC] [TIFF OMITTED] T4152.024
    
    [GRAPHIC] [TIFF OMITTED] T4152.025
    
    Mr. Horn. That is perfect timing if I ever saw it. We just 
have a vote now, so we are going to have to recess for about 15 
minutes here and vote and come back. Two votes, so it might be 
20 minutes. So we are in recess.
    Mr. Davis. Mr. Chairman, could I ask unanimous consent that 
my statement be put in the record?
    Mr. Horn. Without objection, the gentleman's opening 
statement will be put after the ranking member as if read. 
Thank you. With that, we are in recess for 20 minutes.
    [Recess.]
    Mr. Horn. The recess is over and we will go to the next 
witness, Mr. Stefan Kronqvist, chief, Computer Crime Unit, 
National Crime Investigation Department, Sweden. We thank you 
for coming the long flight you did have. So please proceed, and 
if you could summarize it in 5 to 7, 8 minutes, that would be 
appreciated.
    Mr. Kronqvist. Thank you, Mr. Chairman, Congressman Turner. 
Thank you for the opportunity to appear before you today to 
describe the situation on combating cyber crime from the 
Swedish point of view.
    On the reorganization of the Swedish police force, the 
National Criminal Investigation Department is the central 
responsible authority for operational police activities. 
Responsibilities of the national CID include criminal 
intelligence service, certain qualified criminal investigations 
and support to the local police authorities. The NCID is 
functioning as central level coordinator for the combat against 
organized crime.
    Further, the NCID is responsible for operational 
international police cooperation, operation and serving as 
National Central Bureau of the Interpol and the national 
Europol units.
    The Information Technology Crime Unit of the NCID has 
instructions to maintain and develop national support 
activities in order to assist the local police authorities in 
surveying and investigating IT crime. The unit provides 
training, developmental tools and techniques and also carries 
out operational activities by conducting house searches and 
interviews and analyzing seizures and also by tracing and 
identifying persons who use the Internet and its services and 
functions as targets or means in the commission of crime.
    Recently, we established a 24-hour service, one reason 
being that Sweden had joined the G-8 Network contact point for 
high-tech cases.
    The IT unit at NCID is processing some 500 cases yearly. Of 
these cases about 50 percent are Internet related. Practically 
all Internet cases have an international component. The 
Internet knows no boundaries and no border lines.
    For a good many years the NCID has enjoyed a state of close 
and comprehensive cooperation with the FBI. We have had several 
investigations where we worked with the FBI and perhaps the 
best known case would be the E911 case in which our unit 
cooperated with the FBI in an effort to trace and identify a 
Swedish suspect who, by means of illegal telecommunication, 
periodically locked the E911 lines in a major area in Florida.
    One element of this cooperation was to set up a tracing 
team with Swedish and U.S. telecommunication operators. This 
was a rather complex operation, which could not have succeeded 
without the professional skill and dedication of the units and 
the investigators involved.
    The E911 case was very instructive, not least because the 
perpetrator posed a threat to infrastructure functions. FBI 
Director Mr. Louis Freeh described the incident ``as a dress 
rehearsal for a national disaster.''
    The main problem we are facing in Internet crime is 
obtaining access to useful information from foreign Internet 
providers and responsible Web managers. Normally, a provider 
asks for a court order, subpoena, or other form of domestic 
disposition before information is supplied. Such a decision 
must be preceded by an international letter rogatory, a time 
consuming procedure, as we all know. It is my understanding 
that certain criminal operators are well aware of this.
    One way of addressing this problem that suggests itself 
would be international agreements to release subscriber 
information and logged IP addresses and other useful 
information to law enforcement authorities in another country 
without the requisite of a formal rogatory request. The 
transmission of information would be handled via special 
contact points in order to secure authority and make sure that 
the information does not fall into the wrong hands.
    In order to ensure the quality of documents or information, 
probably some kind of authorization or licensing of Internet 
operators might be a possible alternative. You may probably not 
get to the actual criminals that way, but what do they care 
about regulations anyway? Thank you for your attention.
    [The prepared statement of Mr. Kronqvist follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.026
    
    [GRAPHIC] [TIFF OMITTED] T4152.027
    
    [GRAPHIC] [TIFF OMITTED] T4152.028
    
    [GRAPHIC] [TIFF OMITTED] T4152.029
    
    [GRAPHIC] [TIFF OMITTED] T4152.030
    
    Mr. Horn. Well, we thank you very much. That is a very fine 
presentation, and we can learn a lot from it.
    Our next witness is Mr. Juergen Maurer, detective chief, 
superintendent, German Federal Police Office.
    Mr. Maurer. Mr. Chairman, ladies and gentlemen, I am very 
pleased and sincerely honored to receive the opportunity to 
address the members of this honorable committee.
    My name is Juergen Maurer. I am a Leitender 
Kriminaldirecktor of the German Criminal Police Office, or BKA. 
I am the head of the Subdivision Central Services within the 
BKA and, among others, responsible for the undercover program 
and the foreign liaison program of the BKA. In this context, 
allow me to give you some short background information about 
our office.
    The BKA was founded in 1951. In Germany, based on our 
Constitution, police work is in general within the jurisdiction 
of the Federal states. The BKA law constitutes an exemption 
from this principle. As a result of this exemption, the BKA is, 
among others, the German National Center Bureau of Interpol and 
the main law enforcement agency in the field of international 
organized crime and terrorism cases. The BKA is also the 
primary police agency dealing with cyber crime.
    The bulk of cyber crime cases handled by the BKA has an 
international component. A special reporting system has been 
set up for information and technology crime and shows that 
about 50 percent of ICT cases have an international component.
    Cooperation with partner agencies from abroad is mainly 
through the 24-hour contact points for international high-tech 
and computer-related crime established by the G-8 countries. In 
addition, there are contacts with the United States using our 
BKA liaison officers at our Embassy in Washington, DC, or the 
FBI liaison officer posted to Frankfurt, Germany, on a case-by-
case basis. Contact with the NIPC on a case-to-case basis has 
occurred so far only in connection with the distributed denial 
of service attacks in February this year.
    The case showed that even though the cooperation was very 
good, there is still a need to establish a more efficient and 
effective way of exchanging information. In late June this 
year, representatives of the BKA and NIPC discussed 
possibilities to enhance the cooperation.
    The overall investigative cooperation of BKA and FBI has a 
long tradition and has proved very successful. We work together 
in a significant number of organized crime and white collar 
crime cases. There has also been a very successful cooperation 
with the FBI concerning fugitive cases.
    Within the BKA, the IT crime section has about 30 officers 
and the following tasks: collection and analysis of IT crime 
information; national reference point on IT crime; assistance 
and training for other investigative units; analysis of data 
carriers and storages; Internet investigation; and the so-
called data network patrol.
    In this unit, 15 police officers in an overt, nonconcealed 
manner are surfing the net and developing criminal cases in 
identifying the perpetrators. In 1999, around 1,100 cases with 
the suspicion of crime were detected; 90 percent of these cases 
were child pornography cases, 81 percent of these cases had an 
international component; 62 percent of these cases had a 
connection with the United States.
    What should have priority in the future? First, victims of 
cyber intrusions as well as ISPs should keep and make available 
log files providing information about the IP addresses used by 
the criminal or other information that may help identify the 
criminal.
    It would also assist investigators if the ISP created 
technical prerequisites for the surveillance of on-line 
communications comparable to telecommunications interception 
for them to be conducted straight away if required by law.
    Second, there is already a variety of training and advanced 
training courses organized on the international level. However, 
more training should be provided. There is a need to create 
uniform training standards for investigators at the 
international level and establish points of contact for partner 
agencies from abroad to guarantee a great information flow.
    Third, many victimized companies in Germany are still 
hesitant to file a criminal complaint with the law enforcement 
agencies because they feel loss of prestige. For the benefit of 
law enforcement, it seems important to forge cooperation 
partnerships with the system administrators of the victims to 
obtain the required information more quickly. In urgent cases; 
for example, extortion and danger to life and limb, access to 
the raw data should be possible without having to go through 
the time consuming standard formalities under international 
law.
    Also some types of computer crime and cyber intrusions in 
particular require an immediate response by the law enforcement 
community since data needed as evidence are usually stored for 
a short period of time only.
    That was pretty much I wanted to stress. Thank you very 
much for your attention.
    [The prepared statement of Mr. Maurer follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.031
    
    [GRAPHIC] [TIFF OMITTED] T4152.032
    
    [GRAPHIC] [TIFF OMITTED] T4152.033
    
    [GRAPHIC] [TIFF OMITTED] T4152.034
    
    [GRAPHIC] [TIFF OMITTED] T4152.035
    
    [GRAPHIC] [TIFF OMITTED] T4152.036
    
    Mr. Horn. Thank you very much.
    We will go out of order because we are trying to help on a 
situation that a member of the executive branch has here. So if 
you might, we are going to start with his testimony, since he 
has to be elsewhere.
    John T. Spotila is the Administrator, Office of Information 
and Regulatory Affairs, Office of Management and Budget, which 
is part of the President's Executive Office of the President.

    STATEMENT OF JOHN T. SPOTILA, ADMINISTRATOR, OFFICE OF 
 INFORMATION AND REGULATORY AFFAIRS, OFFICE OF MANAGEMENT AND 
                             BUDGET

    Mr. Spotila. Good morning, Mr. Chairman. Thank you for 
inviting me here to discuss administration efforts in the areas 
of computer security and critical infrastructure protection.
    The President has given high priority to cyber security and 
the protection of our Nation's critical information assets. He 
understands the growing risks that our Nation faces from cyber 
threats and has taken a series of steps outlined in my written 
testimony to develop our cyber defenses. In his fiscal year 
2000 budget, the President proposed some $2 billion for agency 
critical infrastructure protection and computer security 
programs. This would be an increase over last year's enacted 
total of $1.8 billion.
    It would include funding to detect computer attacks, 
coordinate research on security technology, hire and train more 
security experts, and create an internal expert review team for 
nondefense agencies.
    These initiatives are vitally important. Regrettably, many 
of our requests for security funds face an uncertain future in 
the appropriations process. We critically need funding for the 
National Institute for Standards in Technology and the Critical 
Infrastructure Assurance Office at Commerce, for the Federal 
computer incident response capability, and the Federal 
intrusion detection network at GSA, for public key 
infrastructure work at Treasury, and for the scholarship for 
service effort at the Office of Personnel Management and the 
National Science Foundation.
    It has been particularly difficult to gain support for 
crosscutting initiatives, despite their importance to our 
computer security efforts. We should be more open to innovative 
approaches in this area and look for opportunity for synergy 
and interagency cooperation.
    OMB plays a key role in government computer security 
efforts. In February, we issued important guidance to the 
agencies on incorporating security and privacy requirements in 
each of their fiscal year 2002 information technology budget 
submissions.
    In the future, when requesting approval for information 
technology funds, agencies must demonstrate how they have built 
adequate security and privacy controls into the life cycle 
maintenance and technical architectures of each of their 
systems. Without an adequate showing, the systems will not be 
funded.
    OMB Circular A-130 sets forth governmentwide policies for a 
wide variety of information and information resource management 
issues. It addresses agency management of information and 
information systems, including capital planning and investment 
control. Appendix 1 sets privacy policy. The soon to be issued 
appendix 2 defines policy for information architectures and 
implementation of the Government Paperwork Elimination Act. 
Appendix 3 sets security policy.
    Importantly, appendix 3 requires Federal agencies to adopt 
a minimum set of risk-based management controls. Four controls 
are described: assigning responsibility for security, security 
planning, periodic review of security controls, and management 
authorization.
    These controls are intentionally not technology dependent. 
Instead, they focus on the management controls agencies need to 
assure adequate security. Technical and operational controls 
should support these management controls.
    We believe, as GAO has said, that our computer security 
policies are properly focused on a risk-based cost-effective 
approach and reflect the right balance between strong security 
and mission needs. Good design and good planning are the keys 
to successful security. For good design, security must be 
compatible with and enable, not unnecessarily impede, system 
performance, business operations, and the mission.
    When security unnecessarily slows the system or hinders the 
mission, users often work around it or ignore it completely. To 
work effectively, security must be part of the system 
architecture, built in so that users will buy in.
    Good planning requires that we fund security and privacy as 
part of the life cycle costs for each system. To identify a 
true system cost and adequately plan for future system or 
program operations, we must account for all of the resources 
necessary to operate the systems, including security.
    Our approach provides maximum flexibility for agencies so 
that they can make appropriate informed choices in applying 
necessary security controls that are consistent with their 
unique circumstances.
    Most security problems come not from a lack of policy, but 
rather from ineffective or incomplete implementation of 
existing policies and guidance. We are very much aware of this 
risk in the Federal context. There is much more to be done 
before we reach full implementation of our existing security 
guidance.
    As my written testimony describes, we are working on a 
number of specific projects to assist the agencies and enhance 
governmentwide security. These include testing a systematic 
process of identifying, assessing, and sharing effective 
security practices; finalizing security performance measures 
against which agencies can assess their security programs; 
creating a formal process for coordinating our governmentwide 
response to cyber incidents of national significance; and 
promoting more timely agency installation of patches for known 
vulnerabilities.
    These are innovative efforts that show great promise. They 
need congressional support if we are to fulfill that promise. 
We appreciate your interest in all of these matters and look 
forward to continuing our close cooperation with the committee 
in this important
area. We value our partnership with you and hope that this 
hearing will mark a further strengthening of our joint efforts 
on behalf of the American people.
    Thank you.
    [The prepared statement of Mr. Spotilla follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.037
    
    [GRAPHIC] [TIFF OMITTED] T4152.038
    
    [GRAPHIC] [TIFF OMITTED] T4152.039
    
    [GRAPHIC] [TIFF OMITTED] T4152.040
    
    [GRAPHIC] [TIFF OMITTED] T4152.041
    
    [GRAPHIC] [TIFF OMITTED] T4152.042
    
    [GRAPHIC] [TIFF OMITTED] T4152.043
    
    [GRAPHIC] [TIFF OMITTED] T4152.044
    
    [GRAPHIC] [TIFF OMITTED] T4152.045
    
    [GRAPHIC] [TIFF OMITTED] T4152.046
    
    [GRAPHIC] [TIFF OMITTED] T4152.047
    
    [GRAPHIC] [TIFF OMITTED] T4152.048
    
    [GRAPHIC] [TIFF OMITTED] T4152.049
    
    [GRAPHIC] [TIFF OMITTED] T4152.050
    
    Mr. Horn. Thank you, Mr. Spotila. I would like to ask a few 
questions before you leave.
    OMB Circular A-133, section 3, so forth, requires that 
agencies have an incident response capability to address 
security incidents in a system and to share information 
concerning common vulnerabilities and threats. The incident 
response capability shall share information with other 
organizations and assist the agency in pursuing appropriate 
legal action consistent with the Department of Justice 
guidance, is our reading of that.
    Have all the agencies complied in developing an incident 
response capability?
    Mr. Spotila. Mr. Chairman, to varying degrees, all of the 
agencies have sought to comply. One of the areas of focus, and 
I go into a little more detail in the written testimony, and we 
certainly would be happy to work very closely with you on 
this--that we in OMB have been focused on is how to get all the 
agencies to do a better job at this. And again some are better 
at it than others in the nondefense area.
    We think that part of the answer is integrating it into 
their overall approach to information technology, not just an 
add-on, in other words, approach, but to integrate it into all 
of their planning. And although we are making progress, we also 
recognize there is much we need to learn, including how it is 
we assess how well they are doing. We are working with the CIO 
counsel and the agencies to develop popular metrics performance 
measures. We know there is a lot more work to be done here.
    Mr. Horn. Are all agencies fully participating in the 
sharing of information on shared threats and vulnerabilities?
    Mr. Spotila. To my understanding, they all are. I am not 
aware of any that have resisted that, for example.
    Mr. Horn. What, if any, guidance will OMB issue that 
outlines a framework for sharing such information in an 
international context? Is there some thinking going on that?
    Mr. Spotila. We have discussions under way. I don't know 
that we have made a decision as to what type of guidance would 
be appropriate in the international context. Our focus has been 
clearly with nondefense agencies and our focus has been 
obviously threats can come from anywhere in the globe. We are 
aware of that. But in terms of communicating outward in the 
international context, I think that is something that remains 
to be discussed and we are open to suggestions from you if you 
think we should do more.
    Mr. Horn. Are we looking at the Embassies to help in this 
regard? I know in some cases we have appropriate security 
people. Or are you thinking of doing that and/or also direct 
contact with our security people and a particular nation's 
security people?
    Mr. Spotila. There is obviously here an area where the 
State Department has had a lead in terms of focusing on 
security, particularly relating to the Embassy, and the Defense 
and National Security Agencies have been addressing this for 
some time. One of the questions is whether there is more that 
needs to be done beyond that and, if so, to what extent OMB 
should issue guidance. I think this is an area where we need to 
work on it in a continuing way.
    The threat is evolving. The nature of the technology is 
evolving, and I think that we need to continually look at 
whether there is more that should be done.
    Mr. Horn. Well, as you have suggested here, the computer 
security policy development and oversight that OMB has, and I 
take it then will plan some policy on international information 
and sharing and coordination?
    Mr. Spotila. I would be happy to get back to you, Mr. 
Chairman, with a written response if you like and could perhaps 
elaborate on this more.
    Mr. Horn. That is fine. Does the FBI's Carnivore program 
provide information and data to the National Infrastructure 
Protection Center? I would like to ask you and Mr. Vatis where 
we are on that.
    Mr. Spotila. Mr. Vatis is probably much more familiar with 
the details of that than I am.
    Mr. Horn. So OMB has not really been involved with that? It 
has been left to Mr. Vatis's organization?
    Mr. Spotila. We have not been directly involved in that to 
my understanding. We're aware of it now and I know that we have 
asked for further information on it.
    Mr. Vatis. Mr. Chairman, the Carnivore technique and other 
methods for electronic surveillance are the province of the 
FBI's Laboratory Division. The NIPC is one of the consumers of 
those techniques, just as the Organized Crime Program, the 
Counterterrorism Program, etc., are users of that technique. 
And my understanding is that we have had a small number of 
computer intrusion cases that have used that technique through 
the Laboratory Division.
    Mr. Horn. Before you leave, Mr. Spotila, I was obviously 
interested in the $1.8 billion last year and now $2 billion 
this year. Did representatives of the administration make their 
case before either the authorization committees or the 
appropriations subcommittees?
    Mr. Spotila. My understanding is they have. And I think 
that some of these decisions remain out there in the initial 
markups. A number of these areas are not being funded, which 
has been raised certainly to a level of concern internally. 
Sometimes that reflects perhaps less of a willingness to deal 
with crosscutting initiatives that affect lots of agencies, 
particularly in a context of relatively lean resources at the 
subcommittee level.
    This is a transition area. That is one of the reasons that 
I refer to it in my testimony. We are all in a position of 
change here and as we try to work with the agencies to look for 
crosscutting approaches, one of the realities is that the 
appropriations process is not always set up to look at it the 
same way.
    We obviously have not been effective enough in making the 
case because the record thus far in terms of how the 
appropriations subcommittees are dealing with it is not as good 
as we would like it to be. But the process is not over, which 
is one of the reasons we wanted to call it to your attention as 
well.
    Mr. Horn. I am delighted that you did. And if you want to 
give me a letter that I can play postage man with the 
appropriators, I would be glad to do it.
    Mr. Spotila. Certainly, we will do that. We will followup 
with that.
    Mr. Horn. Thank you very much and I know that you have----
    Mr. Spotila. Thank you very much, Mr. Chairman. Thank you 
for your courtesy.
    Mr. Horn. OK. Back to the regular order. Our next speaker 
has come a long way also, and that is Mr. Elfren Meneses, the 
Antifraud and Computer Crimes Division, National Bureau of 
Investigation of the Philippines. Mr. Meneses.
    Mr. Meneses. Mr. Chairman, members of this committee, good 
morning. I am Elfren Meneses. I come from Manila, Philippines 
and am presently employed in the National Bureau of 
Investigation.
    My agency is under the Department of Justice, and its 
history is that it started as a Division of Investigation in 
the Department of Justice and later on organized as the 
National Bureau of Investigation under Republic Act 157 in June 
1947. Under the Republic Act 157, as amended, the NBI is 
empowered to investigate crimes and other offenses against the 
laws of the Philippines both at its own initiative and as 
public interest may require; to assist when officially 
requested in the investigation or detection of crimes and other 
offenses; to act as national clearinghouse of criminal records 
and other information for use of all prosecuting and law 
enforcement entities in the Philippines; to give technical help 
to all prosecuting and law enforcement officers, agencies of 
the government, and courts which may ask for its service.
    Its added functions include to investigate Tanodbayan 
cases; to actively participate in the activities of the ICPO-
Interpol; and to perform such other related functions as the 
Secretary of Justice may assign from time to time.
    The NBI is composed of six services; namely, the Special 
Investigation Services, which is based in Manila and charged 
with the investigation of common crimes, heinous crimes, white 
collar crimes, and transnational crimes. The other services are 
the Regional Operation Service, the Domestic Intelligence 
Services, the Technical Services, the Administrative Services 
and the Controller Services.
    The investigator in the National Bureau of Investigation is 
called an NBI agent with the qualification that he must be a 
member of the Philippine Bar or he must be a lawyer or a 
Certified Public Accountant. He must be between the ages of 24 
and 35 years old and must not have a derogatory record.
    On the issue of computer law of the Philippines, a week 
after the start of the investigation of the ``ILOVEYOU'' virus 
by the National Bureau of Investigation, the 11th Congress of 
the Republic of the Philippines and the Senate started 
reviewing pending bills in both houses. On June 14 of this 
year, President Joseph Ejercito Estrada approved Republic Act 
No. 8792, entitled ``An act providing for the recognition and 
use of electronic commercial and noncommercial transactions, 
penalties for unlawful use thereof, and other purposes.'' It is 
also called as our E-commerce Act.
    Prominent in this law is section 33 of Republic Act 8792 
wherein it states: The following acts shall be penalized by 
fine and/or imprisonment, as follows: Hacking or cracking, 
which refers to unauthorized access into or interference in a 
computer system/server or information and communications 
system, or any access in order to corrupt, alter, steal or 
destroy, using a computer or other similar information and 
communication devices without the knowledge and consent of the 
owner of the computer or information and communication system, 
including the introduction of computer viruses and the like, 
resulting in the corruption, destruction, alteration, attack or 
loss of electronic data, message, or electronic documents, 
shall be punished by a minimum fine of 100,000 pesos and a 
maximum commensurate to the damage incurred and a mandatory 
imprisonment of 6 months to 3 years.
    Now, on the issue of international cooperation, the 
cooperation between the National Bureau of Investigation and 
the FBI Legal Attache in Manila in the investigation of cyber 
intrusion is excellent. Fast and constant exchange of 
information by both offices is always assured. Technical people 
from the FBI are immediately sent to the Philippines upon need 
to confirm evidence gathered by the NBI agents.
    To update the NBI agents in their investigation of cyber 
intrusions, Legal Attache in Manila recommends the training of 
agents at the FBI Academy in Quantico, VA or any FBI-sponsored 
training conducted in the Philippines.
    An example of this is the investigation of the ``ILOVEYOU'' 
virus wherein both offices, the NBI and FBI Legal Attache, 
worked closely from the startup to the termination of the 
investigation and even after the filing of the case before the 
Department of Justice of the Philippines.
    Another example of cooperation by both offices is the 
arrest and deportation of U.S. fugitives in the Philippines. As 
of the end of June this year, there were 15 U.S. fugitives 
arrested, 13 of which were deported to the United States, two 
are still in the process of extradition.
    At this point in time, we also coordinated during the Y2K 
millennium bug. And in line with its international relations, 
the NBI is actively participating in tracing perpetrators of 
cyber intrusions, as well as personalities known for bank fraud 
and other electronic commercial offenses. These efforts the NBI 
will continue to pursue as it honors its commitment to the 
global community.
    At this stage I would like to thank you, Mr. Chairman, for 
inviting us here and to give our statement. Thank you very 
much.
    [The prepared statement of Mr. Meneses follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.051
    
    [GRAPHIC] [TIFF OMITTED] T4152.052
    
    [GRAPHIC] [TIFF OMITTED] T4152.053
    
    [GRAPHIC] [TIFF OMITTED] T4152.054
    
    [GRAPHIC] [TIFF OMITTED] T4152.055
    
    [GRAPHIC] [TIFF OMITTED] T4152.056
    
    [GRAPHIC] [TIFF OMITTED] T4152.057
    
    [GRAPHIC] [TIFF OMITTED] T4152.058
    
    [GRAPHIC] [TIFF OMITTED] T4152.059
    
    [GRAPHIC] [TIFF OMITTED] T4152.060
    
    Mr. Horn. We definitely appreciate all you have gone 
through and we are delighted to have you share those 
experiences with the rest of us. So we will get to some of that 
more in the question period.
    We will now go to Mr. Ohad Genis, advocate, chief inspector 
National Unit for Fraud Investigations, Israeli Police. 
Welcome.
    Mr. Genis. Good morning and shalom to everyone. And by the 
way it is Genis, not Jenis.
    On behalf of the Israel Police, I would like to thank you 
for this tremendous opportunity to appear before you and 
discuss our point of view concerning cyber crime and 
international cooperation. Of the 50 cyber crime cases dealt 
with by our department, 20 cases had an international 
component.
    I would like to stress that our department does not handle 
all the cyber crime cases in Israel. Cases that are of local 
interest or that do not require intensive organization are done 
by the field units and, unfortunately, I don't have their data. 
However, I can estimate that more than 30 percent of our cases 
require international cooperation and there is definitely a 
growing number of cases--of requests, sorry, for international 
assistance.
    In the global arena when referring to the Internet as a 
borderless scene of a crime, an effective international 
cooperation is the key to success. And when I say effective, I 
mean both the accuracy of the data received from abroad and the 
time it takes to be transferred.
    Today, all of the Israel ongoing cooperation is with the 
United States, which we warmly welcome since you always deliver 
the goods with the help of the great and most efficient legal 
attaches in Israel, Special Agents Kerry Gleicher and Scott 
Jessey, and we enjoy an excellent working relationship with the 
FBI.
    However, during an investigation when we are obliged to 
request for international assistance, due to the complexity of 
the legal process, we know for sure that we have lost the time 
momentum and that the entire investigation will be put on hold 
for weeks and sometimes for months until we receive the 
relevant information, and I'd like to elaborate briefly on 
that.
    We all know that in order to transfer data from one 
computer to another we must use a protocol, and the protocol 
used on the Internet is the Transmission Carrier Protocol, 
known as the TCPIP. This protocol identifies each and every 
computer connected to the Internet by a number called IP 
address, Internet Protocol address. And theoretically, each and 
every computer connected to the Internet receives a unique IP 
address.
    We all use this IP address to trace our suspects. And most 
of our requests are for the identity of the user who used this 
specific IP address, or what was the IP address used by the 
user who sent a specific e-mail message.
    For this data we still have to wait weeks and months and we 
believe that what is required today is the establishment of a 
central organization which will handle all requests for 
international assistance with on-line access, which will 
accelerate all the legal process--all the process of requesting 
international assistance.
    Another matter that I'd like to mention is conducting 
international conferences. International conferences have 
proved themselves as being most efficient in all aspects of 
international cooperation, including sharing of experience, 
views and assumptions of solutions to common problems, etc. I 
had the privilege of participating in a conference held at the 
FBI Academy in March this year, and I can state categorically 
that our investigations have--our investigations benefited 
significantly from that conference in many aspects.
    I would also like to mention that most of the foreign 
investigators, including the FBI investigators, felt that 
meeting face-to-face would assist us in our future cooperation.
    I'd like to mention the time it takes for us to receive 
requested assistance from abroad now can be used by the hackers 
and they can to their advantage gain from this complication of 
law enforcement and use it to their own benefit, where in these 
investigations the time is of the essence.
    In summation, I would like to say that in the high 
technology era, the establishment of an international center 
that would handle requests--international requests with on-line 
access and conducting international conferences and trainings 
would be the key to a successful joint effort in fighting cyber 
crime.
    Thank you very much.
    [The prepared statement of Mr. Genis follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.061
    
    [GRAPHIC] [TIFF OMITTED] T4152.062
    
    [GRAPHIC] [TIFF OMITTED] T4152.063
    
    Mr. Horn. We thank you very much. That's very helpful case 
study.
    We now go to Mr. Edgar A. Adamson, the Chief of the U.S. 
National Central Bureau, Interpol. Thank you for coming.
    Mr. Adamson. Mr. Chairman, thank you for providing me the 
opportunity to participate in today's subcommittee hearing on 
computer security issues. I am currently assigned to the 
position of Chief of the U.S. National Central Bureau of 
Interpol. I am a U.S. Treasury Special Agent with 30 years of 
experience with the Customs Service Office of Investigations. 
The Interpol U.S. National Central Bureau is a component of the 
Department of Justice with representatives from 16 different 
U.S. Federal law enforcement agencies, including a management 
team from both the Department of Justice and the Department of 
Treasury.
    As you are well aware, the information revolution has 
changed the world forever, transforming the way we think and 
the way we use information. Our dependence on these new sources 
and methods grow daily, and at least some part of nearly every 
interaction we undertake now occurs within this virtual world. 
Of course, this widespread dependence increases our 
vulnerability to criminal activity.
    The ease with which criminals can access the means 
necessary to commit cyber crimes, the multiple jurisdictions in 
which these crimes are committed and the lack of adequate 
legislation for computer-related crime and the seemingly risk-
free environment for the cyber crime perpetrator are all 
factors that point to a likely increase of this type of crime 
in the future.
    Cyber crime is truly international in character as the 
electronic frontier has no bounds. It demonstrates that the 
need for international law enforcement cooperation has never 
been greater. To respond effectively, the U.S. law enforcement 
authorities must be able to overcome some very real cultural, 
linguistic, legal and digital barriers that complicate the 
positive exchange of criminal investigative information across 
national administrations and sovereign boundaries.
    Interpol exists to facilitate this critical exchange among 
its 178 member countries and provides the necessary framework, 
rules of police cooperation, and essential tools and services 
that promote the adoption and use of international standards, 
foster best practice, and permit investigative results.
    Interpol recognizes the severity of the cyber crime 
challenge and is committed to achieving effective computer 
security and cyber enforcement through the development and 
delivery of operational programs and training and the 
establishment of international standards and the promotion of 
best practices worldwide.
    Interpol is in the unique position to facilitate timely and 
reliable notification concerning intrusion attempts and 
information on the widespread computer viruses through its 
worldwide communications network. The strength of the Interpol 
organization lies in the frame of law enforcement information 
exchange.
    Interpol has established rules for police cooperation in 
its 178 countries. Interpol has been around for 75 years. It is 
the only global police organization. Worldwide on-line 
communications network links its membership. It is reliable, 
immediate, global, and it overcomes all the cultural, 
linguistic, and legal barriers.
    The Interpol organization participates with other 
international organizations and national regional bodies. It 
participates and is a member of the G-8 Subgroup on High-tech 
Technology. It participates in the Council of Europe, and has 
observer status at the United Nations.
    Regarding cyber crime, Interpol is a means again as to 
whereby we can exchange information on the varieties of cyber 
crime. We have a point of contact in all countries for 
immediate notification of security computer alerts, etc. We 
again work with the G-8 High-tech Subgroup. We coordinate 
training programs and we have various neutral forum meetings to 
develop best practices.
    In recent years, the United States has made a strong 
commitment to Interpol. The U.S. Customs Commissioner Raymond 
Kelly has served for the last 3 years as Vice President for the 
Americas on Interpol's 13-member guiding Executive Committee, 
and FBI Deputy Director Tom Pickard has announced his intention 
to continue U.S. leadership in the organization and will stand 
for election to the Interpol Executive Committee this November.
    Also this November, Ronald K. Noble will become the first 
non-European and the first American to hold the position of 
Interpol General Secretary--Secretary General in Lyon, France 
for a 5-year term. His candidacy was strongly supported by the 
heads of U.S. law enforcement organizations and prevailed on a 
platform of change to realize the organization's full 
potential. His vision for Interpol advocates greater inclusion 
for all its member nations and better use of electronic 
communication tools to increase the speed, accuracy and 
reliability of law enforcement exchange.
    In conclusion, Interpol membership and participation 
increases the likelihood for detection, timely notice and law 
enforcement response to cyber intrusions. It also permits 
access to a 24-hour network of international experts and over 
40 countries in a secure and confidential manner. Our ability 
to deal effectively and efficiently with cyber crime can be 
enhanced through competency building for less experienced 
enforcement agencies worldwide and through continued 
coordination and cooperation among U.S. law enforcement 
agencies dealing with various aspects of this emerging crime 
area.
    I thank you again for permitting me the opportunity to 
address the subcommittee, and I am happy to answer any 
questions.
    [The prepared statement of Mr. Adamson follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.064
    
    [GRAPHIC] [TIFF OMITTED] T4152.065
    
    [GRAPHIC] [TIFF OMITTED] T4152.066
    
    [GRAPHIC] [TIFF OMITTED] T4152.067
    
    [GRAPHIC] [TIFF OMITTED] T4152.068
    
    [GRAPHIC] [TIFF OMITTED] T4152.069
    
    [GRAPHIC] [TIFF OMITTED] T4152.070
    
    [GRAPHIC] [TIFF OMITTED] T4152.071
    
    [GRAPHIC] [TIFF OMITTED] T4152.072
    
    [GRAPHIC] [TIFF OMITTED] T4152.073
    
    [GRAPHIC] [TIFF OMITTED] T4152.074
    
    [GRAPHIC] [TIFF OMITTED] T4152.075
    
    [GRAPHIC] [TIFF OMITTED] T4152.076
    
    [GRAPHIC] [TIFF OMITTED] T4152.077
    
    [GRAPHIC] [TIFF OMITTED] T4152.078
    
    [GRAPHIC] [TIFF OMITTED] T4152.079
    
    [GRAPHIC] [TIFF OMITTED] T4152.080
    
    [GRAPHIC] [TIFF OMITTED] T4152.081
    
    [GRAPHIC] [TIFF OMITTED] T4152.082
    
    [GRAPHIC] [TIFF OMITTED] T4152.083
    
    [GRAPHIC] [TIFF OMITTED] T4152.084
    
    [GRAPHIC] [TIFF OMITTED] T4152.085
    
    Mr. Horn. Thank you very much. That is a very helpful 
statement. We now move to Mr. Richard Schaeffer, Jr., Director, 
Infrastructure and Information Assurance, Office of the 
Assistant Secretary of Defense for Command Control 
Communication and Intelligence. Join us up here, and we will 
join the others also. If we might get you all around that 
table, we would appreciate it, if the staff would do that. 
Might get another table over here. But we like to have a dialog 
once we are done with all of the presenters, and I would just 
as soon have everybody at the same table if that is possible.
    Mr. Schaeffer, please proceed.

      STATEMENTS OF RICHARD C. SCHAEFFER, JR., DIRECTOR, 
    INFRASTRUCTURE AND INFORMATION ASSURANCE, OFFICE OF THE 
       ASSISTANT SECRETARY OF DEFENSE (COMMAND, CONTROL, 
    COMMUNICATION, AND INTELLIGENCE); MARIO BALAKGIE, CHIEF 
  INFORMATION ASSURANCE OFFICER, DEFENSE INTELLIGENCE AGENCY, 
DEPARTMENT OF DEFENSE; AND JACK BROCK, DIRECTOR, GOVERNMENTWIDE 
AND DEFENSE INFORMATION SYSTEMS, U.S. GENERAL ACCOUNTING OFFICE

    Mr. Schaeffer. Thank you, Mr. Chairman. I appreciate the 
opportunity to be here today to discuss this very important 
topic.
    To set the stage for my remarks, I'd like to say a few 
words about the environment in which the Department of Defense 
[DOD], conducts its daily operations during peacetime, during 
crisis, and even during war.
    The Department's steadily increasing dependence on a global 
information environment over which it has little control 
heightens its exposure and vulnerability to a growing number of 
increasingly sophisticated internal and external threats. 
Globally internetworked and interdependent information systems 
tend to level the playing field between allies and adversaries 
and offer adversaries access to potentially high value, low 
risk information infrastructure targets.
    These targets, if successfully attacked, have the potential 
to impact the full spectrum of DOD operations. To attack a 
large number of systems, an adversary need only find and attack 
a single exploitable connection to the system. Once inside the 
system, an adversary can exploit it and the systems networked 
to it. Further, with every advance in information technology, 
new vulnerabilities are created that must be quickly discovered 
and effectively neutralized.
    Providing for the protection of the defense information 
infrastructure is one of the Department's highest priorities 
and most formidable challenges. Within the DOD, we have 
established detailed procedures for the coordination of all 
cyber events. The Joint Task Force-Computer Network Defense 
[JTF-CND], was formed on December 30, 1998, to provide a single 
command with the authority to coordinate and direct the defense 
of the DOD computer systems and networks.
    Prior to the formation of the JTF, no single entity had the 
authority to coordinate and direct a DOD-wide response to a 
computer network attack. The JTF-CND and the NIPC, the National 
Infrasfructure Protection Center, form a strong collaborative 
team for dealing with attacks on DOD systems.
    Over the past 18 months, the JTF-CND has developed 
processes for identifying attacks against DOD networks, 
assessing the importance of those attacks, notifying 
appropriate headquarters of the information, developing and 
implementing responses to them, and coordinating with external 
organizations such as the NIPC. The DOD relies on the NIPC to 
coordinate cyber attack indications and warning with the 
Nation's critical infrastructure elements--communications, 
power, etc.--upon which the Department depends for mission 
success.
    In closing, I would like to say a few words about where we 
are today and where we need to be in the future. Today it takes 
us at best hours to transition from detection to warning. At 
worst this could be days. The attacks are perpetrated and 
executed in milliseconds. We must develop the technology, 
capabilities, processes, and legal framework to respond to 
cyber events in real-time. There will come a time when our 
capabilities will be tested, and national security or the 
economic security of the Nation will depend on components like 
the JTF-CND, NIPC and others working collaboratively in 
response to the event.
    I want to thank the subcommittee again for providing an 
opportunity for the Department of Defense to present its views 
on this very important issue, and we look forward to continuing 
to work with Congress to ensure that we are able to meet these 
ever increasing challenges.
    [The prepared statement of Mr. Schaeffer follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.086
    
    [GRAPHIC] [TIFF OMITTED] T4152.087
    
    [GRAPHIC] [TIFF OMITTED] T4152.088
    
    [GRAPHIC] [TIFF OMITTED] T4152.089
    
    [GRAPHIC] [TIFF OMITTED] T4152.090
    
    Mr. Horn. Thank you very much. That is a helpful statement, 
and I am delighted to see that they have got some depth over 
there under that Assistant Secretary, because we worried 
through Y2K after the general retired.
    So we now go to Mario Balakgie, Chief Information Assurance 
Officer, Defense Intelligence Agency, Department of Defense.
    Mr. Balakgie. Thank you, Mr. Chairman and members of the 
committee. I am honored to be here to have this opportunity to 
speak on the challenge of coordinating response to computer 
security threats. I am here to present the views and opinions 
of the Defense Intelligence Agency within our role for 
information assurance mission of the Defense Intelligence 
Community.
    The business of intelligence is unique because of what we 
do. But when it comes to how we operate, we are driven by the 
information age. We rely on a global information infrastructure 
using technology as an integral tool to carry forward our 
mission of intelligence. Unlike in the past we now operate in 
an interconnected and interdependent environment, giving us 
tremendous benefit but not without security risk to our 
information infrastructure.
    Today's challenge is to ensure the protection of those 
infrastructures against the cyber threat and requiring a 
community-wide approach to a coordinated and active defense. 
Whether it is the Intelligence Community, the larger Federal 
Government or the private industry, each face common 
impediments to conducting a coordinated response.
    The interconnected environment has opportunities and risks. 
The worldwide nature of threats, the attacks from anyone at any 
time, does not discern organizational boundaries. The reality 
of threat presents fundamental challenges and they are: our 
ability to detect the cyber event through the use of real-time 
sensors; discerning if the event is an attack or an anomaly; 
conducting timely analysis to determine attribution and finally 
reacting.
    To further complicate a coordinated response there are 
existing varying protection policies within interconnected 
communities, making it difficult to execute an all encompassing 
defensive action. For example, the various owners of networked 
infrastructures do not necessarily agree on what may or may not 
be constituted as an attack, how to respond to a cyber attack 
or what defensive measures are required.
    The most significant issue we face in conducting 
coordinated response of cyber threat is the demands for skilled 
and qualified personnel who have an understanding of 
information and security technologies. In particular, intrusion 
detection systems require specialized skills to monitor 
networks for incident detection, conduct analysis of anomalies 
and ultimately react.
    While we can implement sophisticated security technology, 
without these trained professionals, even our best security 
defenses will not be effective.
    The Defense Intelligence Community has several initiatives 
under way to ensure our incident response and defensive efforts 
are coordinated. Those initiatives are described in my 
statement, but I would like to point or highlight at least one 
of them, and that is risk management.
    For us to understand our infrastructure strengths and 
weaknesses, we are integrating risk management as a business 
practice to determine critical assets, protection requirements, 
and establishing priorities. Risk management will enable us to 
emphasize the business process whereby resource decisions are 
made in a consistent and methodical manner.
    Finally, our response to cyber threats shouldn't be 
misconstrued as a one-time issue but rather a never ending 
challenge. We must commit to the information assurance mission 
constant vigilance and protecting the information 
infrastructure. Our defensive efforts must be comprehensive in 
nature and include coordinated strategies within the government 
as well as private industry.
    This challenge is best characterized as a long-term 
business of risk management balanced against threats, 
vulnerabilities and ultimately the return of our investment. On 
behalf of the Defense Intelligence Agency, thank you for the 
opportunity to present our views and opinions.
    [The prepared statement of Mr. Balakgie follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.091
    
    [GRAPHIC] [TIFF OMITTED] T4152.092
    
    [GRAPHIC] [TIFF OMITTED] T4152.093
    
    [GRAPHIC] [TIFF OMITTED] T4152.094
    
    [GRAPHIC] [TIFF OMITTED] T4152.095
    
    [GRAPHIC] [TIFF OMITTED] T4152.096
    
    [GRAPHIC] [TIFF OMITTED] T4152.097
    
    [GRAPHIC] [TIFF OMITTED] T4152.098
    
    [GRAPHIC] [TIFF OMITTED] T4152.099
    
    Mr. Horn. I am going to take the chairman's right to ask a 
question at this point. I would be curious as to the 
biometrics--I am very interested in your insider bit because 
that is what often does and has a real problem in either the 
private sector, the public sector, whatever, to what degree are 
we moving fairly rapidly to that so we would be able to at 
least deal with where the insider is and either to lock him out 
or lock him in?
    Mr. Balakgie. Well, the first challenge for us is to detect 
the insider and we are relying on the use of intrusion 
detection systems to be able to do that. Those technologies are 
currently implemented with a variety of sensors, what we refer 
to as sensors, throughout our infrastructure.
    They are--the sensors are gauged, if you will, to detect 
certain events. Those events trigger a warning and then we in 
turn pursue what could be an insider.
    I would tell you that the technology is mature; however, 
against a sophisticated insider, this still presents a 
challenge in determining who they are and what they're doing.
    Mr. Horn. Well, thank you very much. I am sure my 
colleagues will have questions later. Our next presenter is Mr. 
Jack Brock, well-known to this subcommittee. He is the Director 
of Governmentwide and Defense Information Systems for the U.S. 
General Accounting Office, an arm of the legislative branch. 
Mr. Brock.
    Mr. Brock. Thank you very much, Mr. Horn. It is always a 
pleasure to be here. I feel like I am at my grandmother's 
dining room at Christmas time. It is good to have a seat at the 
table. It is crowded.
    Mr. Horn. I apologize that we did not think about it to 
start with.
    Mr. Brock. I think you heard from most of the witnesses 
that we live in a world where we are talking about a cyber 
threat that is not defined by geographic boundaries, and the 
lack of traditional boundaries really presents a challenge to 
nations to consider new strategies and new ways of dealing with 
this. No longer are you dealing in a physical world where you 
can more easily recognize the threat, but where you frequently 
have more time to react to the threat. The threat is there. It 
is sudden, it is real, and you have to react immediately.
    Further, the ownership of the problem is not just with the 
national governments. It resides with all elements of the 
critical infrastructure. And that can be public utilities, it 
could be the financial sector, as well as Federal agencies, but 
a whole variety of players are involved here and they all need 
to be at the table. I think today you got a good overview from 
the law enforcement agencies, but if you had a different panel 
tomorrow and you had people from the financial sector or people 
from the telecommunications, you might be getting a slightly 
different perspective. The problem might be the same, but the 
response and the reaction to it could well be different.
    Further, this infrastructure that these organizations deal 
in is complicated by the exponential spread and support 
evolution of information technology. And frequently the 
technology and the ability to exploit that technology runs 
ahead of the ability to detect and respond, and that is a very 
serious problem.
    There are three elements to this issue. First, do we need 
to be concerned about it? Second, if we do need to be concerned 
about it, what are the challenges that have to be overcome to 
have an effective response? And then, third, how do we begin to 
address the challenges?
    First on the threat, I don't need to repeat what these 
gentlemen have all told you. There is a very real threat and 
that threat can come from an insider. That threat can come from 
a lone hacker who is out for a joy ride, from an organized 
group of hackers, from a terrorist group or, as NSA estimates, 
from 1 of over 100 countries that now have the capability of 
launching an offensive cyber attack.
    I think the potential for real damage has been highlighted 
by the ``ILOVEYOU'' virus, the denial of service, the Melissa 
virus. While none of these caused catastrophic damage in an 
overall sense, it demonstrated the very real potential for 
damage by cyber attack.
    The challenges, we have identified in the statement four 
challenges. First of all, establishing trust relations. You 
have so many people that are at the table, just like we are at 
this table, that have to work with one another. And even though 
law enforcement people might work together, share information, 
frequently the private sector do not want to share information 
with the law enforcement. They see it as a one-way street. You 
give information but you don't get anything back.
    You have to establish a trust relationship between 
different government entities, some who have less than friendly 
relationships with each other. You have to establish 
relationships between the government and the private sector. 
You have to balance off national security versus economic 
threat. There are a whole series of relationships that have to 
be established, and it is really not realistic to assume that 
everyone shares the same perspective or views the threat in the 
same way or views the response in the same way.
    The second challenge is related to that, but it goes to 
reporting needs and mechanisms. What kind of information do you 
need to be responsive? How do you best share it? What's the 
protocol for sharing it and how do you do it in a timely manner 
so that it is effective?
    Third, and this was touched upon by several panel members, 
are the need for technical capabilities. We have a real lack of 
technical skills within the government, and I think elsewhere, 
for dealing with this. Computer security is clearly underfunded 
and underrepresented in most agencies. Most agencies or many 
agencies do not have the skills that are necessary to provide a 
level of protection.
    We lack intrusion monitoring systems. The Department of 
Defense has taken a real leadership role in moving out on this, 
but this is still a very new area where we don't have the 
systems in place that can effectively monitor intrusions.
    And last, and I think the thing that bothers us the most 
right now is what the national plan calls for in making the 
Federal Government a model. And as you know from prior 
statements before you, the Federal Government is far, far away 
from being a model. Virtually every Federal agency has severe 
computer security problems that put their operations at risk. 
And if the Federal Government is going to be in a position to 
speak about the need for developing national and international 
infrastructures, it needs to get its own house in order and we 
are far from that.
    In terms of addressing the challenge, as you heard today, a 
lot is being done. There are a lot of organizations that are 
sharing information. These organizations certainly exist within 
the United States and they certainly exist internationally. But 
within our own government, that's done without an effective 
framework. The national plan for information systems 
protection, which the first version was issued earlier this 
year, lays out the beginning of a framework dealing with 
Federal Government. The next version is supposed to bring in 
the international and private sector, but a framework is a long 
ways away from having an effective implementation of the 
policies that are needed to in fact do the balancing act that 
you need between the various sectors to establish the trust 
relationships, to develop the effective coordination mechanisms 
that are required to address the challenge.
    So the challenges to be addressed is a comprehensive 
framework. This needs to be developed, it needs to be vetted, 
it needs to be bought into. It needs to allow each of the 
components to clearly define their individual needs. There 
needs to be an opportunity to balance these needs against the 
national need and, last, to develop and implement strategies to 
meet those needs.
    This is going to take leadership. This is going to take a 
real commitment, a prolonged commitment, it will take time and 
undoubtedly take a great deal of money.
    That concludes my summary, Mr. Chairman.
    [The prepared statement of Mr. Brock follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.100
    
    [GRAPHIC] [TIFF OMITTED] T4152.101
    
    [GRAPHIC] [TIFF OMITTED] T4152.102
    
    [GRAPHIC] [TIFF OMITTED] T4152.103
    
    [GRAPHIC] [TIFF OMITTED] T4152.104
    
    [GRAPHIC] [TIFF OMITTED] T4152.105
    
    [GRAPHIC] [TIFF OMITTED] T4152.106
    
    [GRAPHIC] [TIFF OMITTED] T4152.107
    
    [GRAPHIC] [TIFF OMITTED] T4152.108
    
    [GRAPHIC] [TIFF OMITTED] T4152.109
    
    [GRAPHIC] [TIFF OMITTED] T4152.110
    
    [GRAPHIC] [TIFF OMITTED] T4152.111
    
    [GRAPHIC] [TIFF OMITTED] T4152.112
    
    [GRAPHIC] [TIFF OMITTED] T4152.113
    
    [GRAPHIC] [TIFF OMITTED] T4152.114
    
    [GRAPHIC] [TIFF OMITTED] T4152.115
    
    [GRAPHIC] [TIFF OMITTED] T4152.116
    
    [GRAPHIC] [TIFF OMITTED] T4152.117
    
    [GRAPHIC] [TIFF OMITTED] T4152.118
    
    [GRAPHIC] [TIFF OMITTED] T4152.119
    
    [GRAPHIC] [TIFF OMITTED] T4152.120
    
    [GRAPHIC] [TIFF OMITTED] T4152.121
    
    Mr. Horn. Well, thank you very much. If Mr. Pescatore would 
join us over there and, staff, see if we could turn around one 
of those heavy awful tables that we suffer through here, and we 
have Mr. Molander already at the table. And we are going to 
move to Mr. Molander. He is the senior researcher for the RAND 
Corp. that does a lot of good work domestically and foreign. So 
it is nice of you to appear here.
    So where is Mr. Molander? There we are. He moved to the 
right place to make sure he could get recorded.

 STATEMENTS OF ROGER MOLANDER, SENIOR RESEARCH, RAND; AND JOHN 
   PESCATORE, VICE PRESIDENT AND RESEARCH DIRECTOR, NETWORK 
                    SECURITY, GARTNER GROUP

    Mr. Molander. Thank you, Mr. Chairman. Mr. Chairman and 
members of the committee, the RAND Corp. has done a large 
number of studies on the problems that are being addressed here 
today, including conducting many national and international 
strategy policy and operational exercises, you might call them 
cyber war games, in the area of critical infrastructure 
protection as well as in the cyber crime arena, looking at the 
impact of the Internet on things like Internet banking, 
Internet gambling, and the whole impact on money laundering.
    My testimony today is a distillation of that experience put 
together by myself and two RAND colleagues, Robert Anderson and 
Richard Mesic. In light of the comments that have already been 
made, I am going to offer a few overview perspectives, 
hypotheses, lessons learned from about 5 years of doing 
research in this area.
    First, to enable and motivate a more effective dialog 
between government and the private sector, the government 
needs, as was mentioned, a specific and much improved framework 
for targeting the interests of individual infrastructure 
sectors and companies.
    You might say in a sense, Mr. Chairman, it's the private 
sector that is the key here at the present time. The private 
sector wants the government to provide threat intelligence, the 
government wants the private sector to share sensitive 
vulnerability information. To date neither can or will deliver 
in a manner that the other deems adequate.
    A second point, the companies that are running the critical 
infrastructure systems all have quite significant risk analyses 
and contingency plans for various outages and problems; 
however, for this kind of threat the balance between risk and 
cost chosen by individual companies may not be deemed best for 
overall national security interests as judged by the government 
in carrying out its responsibility. Additional resources are 
undoubtedly going to be required. This cost gap-filling 
challenge must be addressed by the Federal Government. The 
expectation that the private sector will carry all of these 
costs is terribly misleading.
    Third, for those critical infrastructures which are 
potentially under attack it is prudent to assume that the 
threat actors, whoever they might be, wherever they might 
operate, whatever their motivation, are likely to eventually 
find vulnerabilities. Nature abhors a vacuum. They will be 
found. We need to assume almost that any major vulnerability 
will be found by some malevolent actor. To the extent that 
actions to protect the infrastructure cannot for cost, 
political or other technical reasons be implemented fully on a 
day-to-day basis, alert and warning and response systems are 
critical. Effective AWR, as we call them, architectures are 
likely to involve a hierarchy of intersected alert and warning 
systems where the best role for the government probably is to 
try and take the lead in creating and coordinating almost a 
system of alert and warning systems and then independently 
provide sort of motivation for response plans being well vetted 
and well organized so that people understand what will happen 
when some alert and warning comes.
    The fifth point, any significant attack of a kind that 
might be characterized as strategic in character would almost 
certainly be proceeded by various testing and probing 
activities by the attacking party. This is going to be an 
ongoing active process, as we have heard. Any data is likely to 
become dated from an offensive or defensive standpoint, and 
possibly obsolete quickly. We need to adapt to this kind of 
dynamic situation.
    Six, given our current knowledge base the CIP problem is 
probably too complex and dynamic at this stage for any single 
unified strategic concept framework or approach. That means 
that we have to break the problem down in manageable pieces 
nationally and internationally and attack the pieces. The kind 
of unified framework that we would also like to have is 
something that at best will take place over time.
    It is clear, I think, that there is no simple solution 
silver bullet for enhancing U.S. or global critical 
infrastructure protection. It is not clear how vulnerable key 
sectors are, how widespread the effects of a major attack might 
be, how various responses to that attack, how effective they 
might be, how well an adversary could marshal the next 
knowledge and resources to mound a strategic level attack as 
opposed to what you might call duck bites without extraordinary 
preparation.
    At this time the best approach probably both nationally and 
internationally is to get down into the details for each 
individual infrastructure. Every infrastructure is different in 
terms of their preparation, their risk assessments and their 
planning. One needs to look at the particular attack modes that 
are going to be--classes of attack modes that are going to be 
most troublesome for individual infrastructures, electric 
power, telecommunications, etc.; the particular generic 
vulnerabilities that are most worrisome for that sector that 
can be projected with time even though technology changes; the 
type and extent of effects of the damages the sector might 
suffer, the importance to the Nation of those effects, and 
finally the types and effectiveness of responses that might be 
expected by the private sector and the government.
    Let me reiterate as a close, it is the private sector, Mr. 
Chairman, that is the real challenge at this point for 
government.
    Thank you.
    [The prepared statement of Mr. Molander follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.122
    
    [GRAPHIC] [TIFF OMITTED] T4152.123
    
    [GRAPHIC] [TIFF OMITTED] T4152.124
    
    [GRAPHIC] [TIFF OMITTED] T4152.125
    
    [GRAPHIC] [TIFF OMITTED] T4152.126
    
    Mr. Horn. Well, we thank you and your colleagues for that 
fine presentation.
    Mr. John Pescatore is the vice president and research 
director, Network Security for the Gartner Group.
    Mr. Pescatore. Good morning and thank you, Mr. Chairman and 
the committee, for this opportunity. It looks like I am batting 
cleanup here. You have heard from a lot of constituencies. In 
my 22 years working in information security, I have actually 
worked for the Intelligence Community, the law enforcement 
community, private industry, in developing fire walls and 
public key encryption, and now with Gartner Group, working with 
thousands of our clients across the world addressing their 
security problems.
    Add the citizens to the stakeholders in this, and it is a 
complex problem, and the key is sharing across those 
communities. The Internet definitely rewards sharing, it 
actively rejects attempts at hierarchal command and control and 
routes around them, to paraphrase a famous Internet saying. 
What within this mix can the government do to facilitate 
sharing is the key issue we have touched on I think in a number 
of ways here.
    First, we have heard several times, and I will certainly 
second it, that the government should first clean up its own 
act in computer systems and make sure that government computer 
systems are secure and well managed. We've seen an explosion in 
use--business use of the Internet that really vastly outpaces 
the growth of crime against the business use of the Internet 
today. We see companies like Cisco and Intel and Intuit getting 
the majority of their revenues through sales over the Internet. 
They figured out how to do it securely and still run leading 
businesses.
    So the solutions, the technologies and the processes are 
there. They need to be emulated and replicated across all 
systems, and government systems are a prime example. We 
estimate it takes anywhere from three to five times more 
effort, more total cost of ownership to secure an Internet 
exposed application than one that has traditionally been inside 
a closed environment. If you use today's point solutions and 
antiquated processes that we see many government agencies 
trying to use, if you use architectural solutions, redefined, 
reengineered processes, those costs can be halved and become 
much closer to what it takes to do so behind the fire wall.
    So first point, government effort to secure government 
systems, that is one key inhibitor to private industry willing 
to share the threat information with the Federal Government. 
Will it be protected when it is stored by the Federal 
Government?
    Second key point, the government certainly plays a role in 
defining security standards and can put its buying power behind 
those standards. We see the National Institute of Standards and 
Technology [NIST], with the National Information Assurance 
Program putting together protection profiles for various 
technologies and systems. Some very good efforts there. Not 
quite working on Internet time, more bureaucratic time; need to 
move up to Internet speeds, and not quite so focused on a 
prioritized list of what makes the most sense to e-business and 
the needs of all these various constituencies. I think that can 
be improved.
    The government can certainly learn some lessons from what 
it did in the Y2K period. There were many things that others 
put together for Y2K; for example, in the National Security 
Telecommunications Advisory Council [NSTAC], is an example of a 
very workable way of sharing threat information between private 
industry on the critical infrastructure side and the 
government. Did a lot of good work for Y2K.
    Another suggestion that we have, we saw the Securities and 
Exchange Commission require publicly traded companies issue Y2K 
status information in their quarterly and annual reports. Let's 
see that for security information. Let's see the government 
help make security part of the bottom line versus an 
afterthought for many of these companies. I think that would go 
a long way.
    I want to point out we don't see a need for more alphabet 
soup of committees and task forces to address this problem or 
coordinate this problem. We see plenty of those. We see many 
successful examples, things like the Forum of Incident Response 
Security Teams, the Carnegie-Mellon Computer Emergency Response 
Team, things starting up in the Federal Government like FedCERT 
to share information. We have enough mechanisms. We need to 
move them forward and increase sharing.
    I will sum up, with that buzzer going off, to say we see a 
lot of successful use of the Internet increase the bottom line 
of companies, make things more convenient for citizens. 
Certainly we know cyber crime and information warfare will 
follow and it will require leadership by the government to 
address those. I think the government can learn from what 
private industry has done successfully and adopt best practices 
on government systems and sponsor leading practices and 
standards that will apply across the infrastructure. Thanks for 
your time.
    [The prepared statement of Mr. Pescatore follows:]
    [GRAPHIC] [TIFF OMITTED] T4152.127
    
    [GRAPHIC] [TIFF OMITTED] T4152.128
    
    Mr. Horn. Thank you very much. We will begin the 
questioning with the ranking member, Mr. Turner. Each of us 
will take 10 minutes. And as you can see by the ruckus on the 
bells, we have another vote so we will both have to get there. 
But we will get started here with 10 minutes to the gentleman 
from Texas.
    Mr. Turner. Thank you, Mr. Chairman. Mr. Pescatore, I 
wanted to followup with you. You made a comment there that we 
did not need any more task forces or study groups, and then you 
also made a comment that we had the necessary entities. You 
referred to the Carnegie-Mellon Institute. I guess it is a 
similar operation to what we do at the Federal level. Did I 
gather you said those were sufficient that we had in place?
    Mr. Pescatore. Well, we have the mechanisms, things like 
CERT teams and FIRST and across DOD and the civilian government 
and private industry for sharing the--for coordinating 
response. We need a number of things to help make information 
sharing easier. Many have been addressed in the testimony. 
Things like the Freedom of Information Act being addressed to 
make sure that information shared will stay private, will not 
be releasable. Making sure information sharing is bidirectional 
between these communities as much as possible.
    So there are ways that we can increase the sharing between 
these mechanisms, but I don't think we need more mechanisms.
    Mr. Turner. We have a number of people here from various 
countries around the world. What would you see as the greater 
need internationally in this area? We all talk about and 
everybody has mentioned we need greater cooperation. What does 
that translate into in terms of actual activity?
    Mr. Pescatore. Well, I think what you see the most need for 
is increased communication between the different layered 
communities. For example, Interpol between law enforcement, the 
various NATO and other mechanisms between DOD, and there are 
existing mechanisms like FIRST that interoperate between 
companies across countries. The flow between those three 
communities is near zero. That needs to be increased. And the 
mechanisms are there, again, but the oomph behind them is not.
    Mr. Turner. I was interested, Mr. Molander, in your 
comment. You said the problem is the private sector, not the 
government, and yet I get the impression from listening to the 
testimony that the government is increasingly going to be 
required to play a greater role, that the private sector is 
going to basically say there is a point beyond which we don't 
really want to go. We don't want to spend the money to go 
further, but that our national security needs will require us 
to go further.
    So you might want to expand on that thought a little more 
because I was getting the impression earlier that the direction 
that we needed to take was that we are going to have to 
recognize that the government is going to have a greater 
responsibility, not a lesser responsibility.
    Mr. Molander. I think that is probably right. But in the 
end, I think the real challenge right now is to bring the 
private sector to the table in seeking solutions to this 
problem. As yet, the kind of information that we would like to 
get from the private sector in terms of, for example, the kinds 
of probes that they are seeing right now, how they are 
organizing themselves for responding to certain kinds of 
attacks, classes of vulnerabilities that they can see from 
their own experience with natural sort of events and things of 
this character, these kinds of things have not yet been part of 
a dialog between the government and the private sector largely 
because the government has not been successful in making the 
case--and it's not an easy case to make at this early stage--
that there is out there perking along, you might say, the kind 
of strategic threat capability that truly would be more than 
just a cause for the kinds of problems that we saw with the 
``ILOVEYOU'' virus and things of this character.
    The private sector is, if you will, the frontier. That is 
where things are happening in terms of attacks against the 
infrastructures, more so perhaps than the attacks against the 
Defense Department. The private sector--all boats have to get 
in and start rising here, but the private sector is really 
missing in terms of aggressive participant in the larger 
strategic challenge.
    Mr. Turner. What's it going to take to get the private 
sector to move more rapidly in terms of their willingness to 
cooperate?
    Mr. Molander. Other people could comment on that as well, 
but I would say a persuasive case made by the government, 
barring some actual events, of the kinds of vulnerability that 
the private sector sees could be exploited by a malevolent 
actor who you might say catches up with the information 
revolution and catches up with the software and what not, 
changes that are being made by the infrastructure. So you might 
think of this as somebody doing a high speed merge, the 
malevolent actors doing a high speed merge on the highway. But 
the threat is that they will catch up and the kinds of dialog 
where the government makes a persuasive case for threat really 
haven't taken place yet.
    Mr. Turner. I'm not sure we do understand the threat, and 
maybe we need to have more opportunities for experts like we 
have on this panel to tell us the worst case scenarios that 
might be out there for us. We have two panelists here from the 
Department of Defense, but when we talk in terms of national 
defense we usually can identify the threat and talk about it. 
Sometimes we talk about it in top secret meetings, but we talk 
about it and that's what we try to address.
    Maybe we don't have a good perception of the real threat. 
Do any of you, particularly panelists from the Department of 
Defense, have any suggestions on how we might better educate 
ourselves on the nature of the threat? Mr. Vatis with the FBI, 
I'm sure you have some thoughts on that you could share with 
us.
    Mr. Vatis. I think I agree with the point that one of the 
things we need to do is to raise awareness about the nature of 
the threat. And, in fact, a lot of that has been going on. We 
have provided numerous briefings to different committees of 
Congress and also to many different parts of the private 
sector. As one example, I've provided a classified briefing to 
the owners and operators of the electrical power infrastructure 
because of their centrality to the functioning of all the other 
infrastructures. And I think those briefings, as well as real 
live events such as the various viruses that we have seen and 
denial of service attacks, have all done a great deal to raise 
the level of awareness. And I think they've contributed to the 
progress that actually has occurred over the last 2 years in 
terms of the private sector taking steps that it hadn't taken 
before to secure its systems.
    But I think all the awareness raising in the world is only 
going to get you so far. And then you still run up against the 
fact that companies are not going to do anything until they see 
that it's necessary to protect their bottom line and their 
ability to make profits. And I think companies are going to 
make different decisions about the probability of something 
happening. They will look at the cost of taking steps to 
prevent it from happening versus the cost of something 
happening, discounted by the probability and going through that 
sort of cost-benefit analysis. And so I think that's really 
where we need to make progress.
    The other thing that I see happening is a bit of a free 
rider problem. That especially affects the whole problem of 
information sharing. There has been a lot of talk for 2 and 
more years about the importance of information sharing. We have 
set up numerous mechanisms, some of the ones that Mr. Pescatore 
has mentioned as well as ones that the government has set up, 
including through the NIPC, to share information from the 
government to the private sector. And that's all been going on.
    But what's principally been lacking, I think, is 
information coming from the private sector to the government 
and information being shared among private sector companies. 
The free rider problem that I mentioned comes from the fact 
that companies are willing to get information that might help 
them become aware of vulnerabilities, but they're very wary of 
sharing their own vulnerability information, not just with the 
government but with their competitors in industry, because 
companies see a possible competitive advantage if they're aware 
of a vulnerability and others aren't. And so that's where I see 
the principal hindrance to information sharing.
    Mr. Horn. I will have to interject now. At 12:25, we go 
into a formal recess. We will be back at 2 o'clock for the 
questioning. Other Members will be here. And I believe your 
host, the Federal Bureau of Investigation, already has other 
things for you to do during this period. So we are now recessed 
formally. If you want to ask some more questions fine, but you 
can also ask them at 2 p.m.
    [Recess.]
    Mr. Horn. The recess is over, and I hope you had a good 
lunch, and we thank the Federal Bureau of Investigation for 
that hospitality. Since none of us on Capitol Hill except the 
Speaker have a representational allowance, we don't have any.
    But let us ask a few questions. We won't keep you that long 
but there are a few things we did want to talk about.
    To the Department of Defense, let me ask this. Has the lack 
of an international policy on critical infrastructure 
protection impeded the Defense Department's efforts to address 
mutual concerns on infrastructure protection? How would you 
answer that?
    Mr. Schaeffer. No, sir, I believe that with respect to our 
international partners we have worked on an individual basis to 
ensure that where we are reliant upon the infrastructure of the 
nations where we reside. That is not to say that all the 
problems are fixed and everything is wonderful, but we are 
working U.S.-to-host nation to address those issues.
    Mr. Horn. In an unclassified setting, can you tell us what 
countries do you see as having the most developed information 
warfare and computer attack capabilities?
    Mr. Schaeffer. I cannot address that in this forum, sir. 
Actually, that question would probably be addressed better to a 
member of the Intelligence Community than to this portion of 
the Department of Defense.
    Mr. Horn. We will have Mr. Goss ask that.
    How concerned are you in the Defense Department about the 
proliferation of weapons of mass destruction, viruses, hacking, 
exploited denial of service, and will increased information 
sharing improve the response posture of the United States?
    Mr. Schaeffer. Well, sir, I believe I can state 
categorically that we're very concerned. Certainly as one can 
read in the paper every day, the Department is subjected to a 
substantial number of probes, attempted intrusions, attacks, 
however one wants to categorize that. Last year, or in 1999, 
the Joint Task Force-Computer Network Defense registered over 
22,000 attacks on DOD systems.
    Now, it's very, very difficult to say what portion of those 
came from within the United States, what portion may have been 
foreign sponsored, which portion may have been foreign 
generated. I mean, there's a number of those situations that we 
continue to pursue.
    But the volume and the anonymity with which an attacker can 
operate unimpeded from around the world sort of states the 
situation that we are dealing with.
    Mr. Horn. In my opening statement, I referred to NATO as a 
possibility to be able to share information in this area. To 
what degree--well, let's put it this way. The European 
Parliament, the various sovereign nation parliaments, and the 
Council of Europe and all of those groups, everything, the 
OECD, all overlap each other. But I wondered, since NATO has a 
working relationship, and one of the reasons was to have a 
defense group in relation to the Western world, so to what 
extent, if any, is NATO involved in cyber attack problems?
    Mr. Schaeffer. In March 1998, Dr. John Hamre made a visit 
to NATO. We actually visited several individual nations and 
NATO as a body, the C-3 board, within the NATO structure. And 
we gave several presentations on U.S. experiences in the area 
of cyber issues, problems. We laid out our experiences in our 
own exercise environment, Eligible Receiver 97, which was 
really the watershed event that got the Department's attention.
    Mr. Vatis spoke briefly to the Solar Sunrise incident, 
which I refer to as a live fire exercise, and we shared those 
experiences with our NATO partners.
    Subsequent to that, we have continued to expand our 
relationship in terms of sharing experiences, training 
material, approaches to address information assurance issues 
both with NATO nations and non-NATO nations as well. We have 
done that DOD to MOD, the Ministries of Defense of the various 
nations. And so our relationships have been constrained pretty 
much within the context of our military partners.
    In some cases, some nations have sent non-MOD delegations 
to DOD to get our perspectives on critical infrastructure 
issues, information assurance issues, and the Department's 
approach at dealing with those.
    So, I think since the March 1998 timeframe, we've had 
substantial interaction with our foreign allies and partners to 
try to convey what we see as rather substantial problems. And 
I'm pleased to see the progress that NATO has actually made in 
addressing a number of these issues. Again, there's a long way 
to go, but it begins with awareness and understanding and 
common appreciation of the problems.
    Mr. Horn. Now, what do we do for those countries that are 
not in NATO and that rim on the NATO alliance? How do we deal 
with that?
    Mr. Schaeffer. We have, on a bilateral basis, exchanged 
understanding of issues, problems, approaches, with non-NATO 
nations within Europe. But we've done that again, DOD to MOD. 
Sweden is an example of a non-NATO nation that we've had 
information exchanges with.
    Mr. Horn. Are the French now in or out of NATO?
    Mr. Schaeffer. The French are in NATO. And we've had 
exchanges with them as well.
    Mr. Horn. OK. Mr. Genis said this morning, and I'm just 
wondering what the reaction is of all of you, the suggestion of 
an international coordination center. Is there an existing 
organization suited for that purpose? We have a lot of League 
of Nations groups in Geneva and other parts of Europe and other 
parts of the world, and we have U.N. possibilities and all 
that. But I'm just curious if we can go down the line and where 
do we see for having an international coordination center where 
you could relate to them and they would keep up on a lot of 
this and share information. Mr. Reksna.
    Mr. Vatis. If I may, Mr. Chairman, I think Mr. Reksna would 
rather pass on this, if that is OK with you.
    Mr. Horn. That's fine, but if he has some thoughts we would 
welcome them. Because we need to have countries involved, no 
matter what their size. They're important people to us.
    Mr. Reksna. Actually, we should think always the 
possibility, if it's possible, we would answer you in a return 
letter.
    Mr. Horn. Well, thank you. Mr. Vatis.
    Mr. Vatis. I think the need for a much more efficient and 
quick mechanism for sharing information internationally is 
apparent. That is one of the things that the G-8's High-tech 
Crime Subgroup has been discussing over the last year or two. 
The problem that we bump up against is that of national 
sovereignty and the fact that countries are not willing to let 
foreign law enforcement agencies conduct investigative 
activities within their own borders for national sovereignty 
reasons.
    And so what the G-8 has been trying to do is come up with a 
system where countries at least agree to freeze information at 
the request of another country, and then let the normal mutual 
legal assistance treaty process take effect. As some of my 
colleagues had mentioned this morning, that is typically a 
lengthy process, because in the past in traditional crimes, 
speed was not always of the essence the way it is in cyber 
crimes. And so it wasn't of great concern to people that 
requests would take weeks and months.
    Now when evidence can be lost, that sort of delay is simply 
not tolerable and so we are trying to come up with methods, 
first within the G-8 and then on a broader scale once we have a 
model developed, to try and share information more quickly.
    But the idea of a single international body that would have 
powers that might transcend national sovereignty I think would 
pose difficulties not just for the United States but for most 
countries.
    Mr. Horn. Mr. Kronqvist, any thoughts on this?
    Mr. Kronqvist. Thank you. I think such kind of center 
should be very useful. But as a law enforcement person, I would 
like to express that participation of law enforcement agencies 
should be very manifest and I think probably should be by law 
enforcement organizations so secure handling of information 
would not come in the wrong hands.
    Mr. Horn. Mr. Juergen Maurer.
    Mr. Maurer. I'm not convinced that there is a need for a 
specific institution to be established. If it comes to law 
enforcement, I think it would be a much better way to use the 
existing channels and make them aware of the specific needs. 
Especially when it comes to Europe, we have to face how many 
years you need to establish a new police institution, for 
example, like Europol, and it will need another 10 years to 
have a real operative institution. So I would prefer to stick 
with the existing channels and use these channels.
    Mr. Horn. Mr. Meneses, what is your thinking on this?
    Mr. Meneses. Your Honor, I think Interpol is a good bureau 
within which law enforcement could properly coordinate and 
cooperate, considering that it is already existing. I believe 
what is already needed is to refocus some of these people to 
concentrate especially on cyber intrusions. They should be 
given--these people should be directed by the leaders that 
priority should be given on cases under investigation, 
especially on cyber intrusions.
    Mr. Horn. Thank you. Mr. Genis.
    Mr. Genis. Well, ditto. And I'd like to mention that 
Interpol would be an appropriate body. But it should be more 
similar to the NIPC, but which would have control over European 
countries and other countries than within the United States.
    Mr. Horn. Mr. Adamson.
    Mr. Adamson. Yes, Mr. Chairman, Interpol does have the 
framework to do this, but what they are lacking is the 
resources and expertise. There are about 300 police officers 
from around the world assigned to the General Secretary at 
Lyon, including 10 Americans. But cyber crimes is just 
something that has started. Interpol has always been years 
behind. I think with the new Secretary General coming this year 
with a renewed interest in Interpol by the United States, and 
renewed interest by all the first world countries, I think 
things could change. The framework is there and you still have 
the sovereignty aspect but at least the framework for 
communications is there.
    Mr. Horn. Mr. Schaeffer, any other thoughts on this?
    Mr. Schaeffer. Mr. Chairman, I think the only thing I would 
add is that while existing organizations and mechanisms--or 
mechanisms do exist, I think we are a long way from a 
consistent taxonomy in an international sense. What is an 
attack? What constitutes an attack? What is an event? What is 
an intrusion? And so I think there is work that has to be done 
there before we could vest the responsibility for coordination 
in any one body or any group of organizations. I think there is 
much that could be done to create a consistent view of the 
problem and then some sort of international convention of what 
gets reported, how, and in what context.
    Mr. Horn. Mr. Balakgie, is the Defense Department unified?
    Mr. Balakgie. Absolutely, sir. I would say that there might 
be some information that would be difficult to share but that's 
my intelligence. I think you're talking about certain levels 
where you know something is going on, sharing of information 
needs to be done in a rapid manner. It's what happens before 
you get to that point that I think is challenging for us.
    Mr. Horn. Mr. Brock, any thoughts on that, looking around 
the world and around the United States?
    Mr. Brock. I think there is a need for more international 
sharing. I think at least initially it would be difficult to 
see one body doing that initially. Much as in the Y2K, people 
that have already established trust and working relationships 
in particular sectors, it might be feasible for them to begin 
sharing information among themselves and at some point look for 
opportunities for improving sharing among those different 
groups.
    Mr. Horn. Mr. Molander.
    Mr. Molander. I was going to say that same thing. I think 
Y2K was something special, and those people who paid for it by 
drinking champagne in paper cups did over the period leading up 
to that establish a precedent that one could build on even if 
you can't very quickly even think about how to get started on 
international law enforcement institutions. I think the 
precedent set by ICAO and IATA and international ITU should be 
built on before both personal relationships are lost and the 
experiences are lost because you can do a lot of work in that 
area. And as I testified earlier, I think bringing the private 
sector through the individual infrastructure, treating them 
independently, into this problem effectively is a very 
important thing to do. And this would be a good place to start.
    Mr. Horn. Mr. Pescatore.
    Mr. Pescatore. I think I will echo one comment I believe 
Mr. Schaeffer made, that the important piece is the consistent 
taxonomy and lingua franca for defining what is an incident in 
different times and we see nascent standards in that area, work 
within the DOD and private industry, to come up with a common 
language. That would be the first step to get that in use 
across these communities and that would facilitate information 
sharing, be it any of these difference mechanisms that we 
talked about as a coordinating body.
    Mr. Horn. Now the private sector sort of was in and out of 
your testimony, depending on the situation. Is the private 
sector here, Europe, Asia, wherever, in computing, are they 
aware of the problems that the viruses create, are they working 
on ways to block that in the computers that they sell? You 
don't have to name any names, if you don't want to. But does 
that occur somewhere? It seems to me this is a wonderful market 
for someone if they can figure out how to attract people who 
are virus experts and all the rest of it. So what's your 
feeling on that? And do they realize the size of this problem 
and what it could do to the free world as well as the nonfree 
world?
    Mr. Brock.
    Mr. Brock. Every time I testify on computer security, I get 
several calls the following day from vendors saying we have the 
answer and they want to come over and do a demo or whatever. 
And many of them I think, in fact, do have good products. But 
the problem that we've seen at the agencies we've reviewed is 
that using a tool, that many agencies have tools but they don't 
use them effectively. And that's the secret. You can buy a tool 
that is very effective and we have gone into agencies where 
they have great firewalls but they haven't turned on all the 
features of the firewall, or where they haven't trained the 
people to use it or they haven't updated it and it is two 
generations back and viruses and other attack methods have 
progressed.
    So I think there are opportunities. But you just can't use 
a tool without knowledge of how that tool is supposed to work 
and without continual training to make it work.
    Mr. Horn. Is there any other feeling from those of you that 
live in Europe as to whether your manufacturing industries see 
this as a real opportunity, if they can block out the type of 
viruses or whatever it is? Are they not interested or are they 
interested in doing this? I think that's where some brain power 
ought to be given to it. It's like anything in defense, 
everybody--you get it done, somebody has something that's 
bigger and then so forth and so on. So it seems to me this 
would be a very good market for everyone there.
    The other thing is do the antitrust laws in the case of the 
United States, does that keep manufacturers and others from 
getting in at the top of this problem? And is that type of 
sharing, should that type of sharing be exempted if it in any 
way is a problem for the antitrust laws? I don't know the GAO 
has looked at that and we don't have anybody really from 
Justice on the legal side. But I think we need to pursue that 
with the Department of Justice and see if something needs to be 
done to amend the law.
    Mr. Brock. My colleague, Joe Williamson, testified last 
month on H.R. 4246, the Cyber Security Information Act, which 
was very similar to a Y2K legislation that eased some of the 
concerns that companies had about sharing information so they 
wouldn't violate various antitrust provisions, and we were very 
positive about that act and thought that anything that would 
alleviate concerns between companies about sharing information 
was a positive step forward.
    Mr. Horn. Well, I think you're absolutely right on that and 
we need to pursue that a little more perhaps with the Judiciary 
Committee.
    Let me just ask on the cyber attacks that have been 
investigated, is there a single point of contact in the United 
States that all of you who are not in the United States use as 
your contact point? Is it the FBI's center or are there other 
places you can also--Carnegie-Mellon has not really come up 
this morning and Carnegie-Mellon has been doing a lot of work 
on how to deal with this problem.
    So I don't know if any people that are--are you primarily 
relating to Mr. Vatis and the center there? Or are there others 
that can help you in this country? Because we'd like to know 
where they are and we know about Carnegie-Mellon. Is there any? 
Yes?
    Mr. Maurer. Our first partner in these cases would be the 
FBI. If it comes to a legal assistance request, we should have 
to go through the Department of Justice, but they refer us 
always then back to the FBI. So our main partner would be the 
FBI.
    Mr. Horn. Is that the general feeling of most of you, that 
you relate to the FBI essentially? Yes?
    Mr. Kronqvist. Yeah, normally we have contact with the FBI 
through the Legal Attache's office. But we have also other 
contacts with them, some of the other parts of the FBI, because 
we have training exercises with the FBI also on projects like 
that.
    Mr. Horn. Well, they're a good group to deal with. Do each 
of your countries have decent legislation now to combat the 
cyber attacks? I know the Philippines has. I wish our Congress 
could move as fast as yours did, because you seemed to move 
very rapidly. Is there a model law that would fit for every 
country on that? I realize there is different legal practices 
under the laws.
    But do you feel that there's some of the countries that 
maybe surround you don't have any laws on this and maybe some 
don't even care to have any laws about this, because some of 
them might be doing the things that we are trying to block. So 
is there a feeling that there is a weakness of laws in some of 
your countries? Yes? Dr. Maurer.
    Mr. Maurer. I'm not that familiar with this part of our 
work, but it seems that there's a feeling that there is a lack 
of the law passage. There is an effort by the European 
Community to harmonize the different laws. So the European 
Council or the members of the European Council or delegation 
located here in Washington, DC, they might be a good place to 
go and get more information on that.
    Mr. Horn. Any other thoughts on that? Well, let's get to 
the point of should there be a global treaty on this? And does 
it even make any sense, given all the diversity and all the 
complexity that's involved in this? Should that be either 
pursued bilaterally and signing or having the Europeans deal 
with that, the Asians on their continent, whatever it is? That 
if a global treaty is needed? What is the feeling on that?
    The gentleman from Latvia might want to respond on this one 
because I would think that would be in your interest in terms 
of Europe and that area to have some sort of a relationship. 
Any thoughts on it, as we would say in this institution, the 
gentleman from--in your case you're the gentleman from Latvia, 
and we are glad to have you here.
    Mr. Reksna. Without doubt, we'll need agreements on 
cooperation. But we should say openly that actually all the 
countries, there is much bureaucracy in each country and any 
more agreements--any other agreement also like needs more 
bureaucratic work and papers. In order to solve, to detect a 
crime, the main thing is time--to shorten the time. And because 
of that, I would agree to that said by our colleagues that at 
the present moment, maybe one of the most effective ways to 
work in this direction is personal contacts, to have more 
personal contacts and to have really good working relationship 
and contacts with LEGAT, with FBI liaison officers.
    And for sure, there should be present such a thing as 
trust. Trust as on the level of law enforcement institutions in 
the country, between different countries, and the trust 
between--we are to build the trust between the law enforcement 
agencies and the private sector. Because if there is a trust, 
there would be an effect.
    Mr. Horn. Thank you very much. Mr. Vatis, what do you think 
on this?
    Mr. Vatis. I think one of the most pressing needs 
internationally is for harmonization. Or if not quite 
harmonization, at least some minimal level of substantive 
criminal law in all the countries around the world to 
specifically address computer crimes because one of the 
problems that we have seen is if we have an incident and we 
determine that the perpetrator is located in a country where 
there is no applicable law, there is no chance for prosecution 
oftentimes in that country and there is also no chance for them 
to provide assistance to us because they don't have the legal 
basis to even engage in an investigation.
    But I think our approach has been that the best and most 
likely way to achieve that gradual creation of laws around the 
world is not by jumping right to a global treaty of some sort, 
because I think that would take a considerable amount of time, 
given the great differences in perspectives and priorities 
among the different countries, but instead to try to encourage 
the passage of new laws on a bilateral basis, and on a 
multilaterally basis first to deal with smaller groups of 
countries that have common interests.
    So we've been doing that through the G-8 and then Europe 
has been doing that through the Council of Europe. And I think 
if we start with those types of smaller groups of countries 
with common interests we'll eventually create some momentum and 
eventually see most, if not all countries around the world have 
applicable laws.
    Mr. Horn. Any thoughts on this, Mr. Kronqvist?
    Mr. Kronqvist. Yes, I think international agreements can be 
very useful because even domestic legislation can be organized 
very rapidly if there is--international work is the issue.
    Mr. Horn. Dr. Maurer.
    Mr. Maurer. Just would like to support the thoughts Mr. 
Vatis just told us. That is exactly our position too.
    Mr. Horn. Mr. Meneses.
    Mr. Meneses. I agree with the observation of the honorable 
chairman that there should be an international or global 
treaty, considering that information technology moves so fast. 
And the Web site would be on the other part of the world and 
the suspect or the culprit may be on the other side of the 
world and there may be a problem on how to get some of this 
evidence. But if everybody--if there is a treaty, at least the 
investigators or the law enforcers would have a chance to call 
on such country or nation to give in some of the evidence that 
we need. Of course the recommendation of Mr. Vatis could also 
be a preparatory step to that global treaty.
    Mr. Genis. I'd like to stress sir that an international 
treaty will allow us or will give us the ability to address 
foreign countries, besides the United States, where we speak in 
the same legal terms. And it will simply make the process 
accelerated.
    Mr. Horn. Mr. Adamson.
    Mr. Adamson. Yes, I mentioned that Interpol works with a 
number of organizations and, as I previously mentioned, the 
Council of Europe has been doing this with a draft convention 
on cyber crime recently. And they are putting together, this 
will probably be the first international treaty to address this 
problem of cyber crime. As I understand it, the text will be 
finalized by the end of this year. The Committee of Ministers 
may adopt it as early as autumn 2001. Again this is piecemeal, 
this is Europe. But it is the first step probably to do 
something worldwide.
    Mr. Horn. What is the process in terms of Interpol in 
developing a document such as that?
    Mr. Adamson. Well, Interpol isn't doing it. Interpol is 
only supporting it. It is really the Council of Europe. It is 
again one of the many organizations that we belong to. But we 
are listening, we are watching what they are doing and perhaps 
through our mechanism we can show the rest of the world that 
this can be done.
    Mr. Horn. That is good. I am sure that is a publication 
that will be sought in a lot of places.
    Any other thoughts on this?
    Mr. Adamson. Not from me, no, Mr. Chairman.
    Mr. Schaeffer. I think I find what Mr. Adamson says very 
interesting. I wasn't aware that there was such work going on. 
But I think, from a Department perspective, I think Mr. Vatis 
articulated our position very well.
    Mr. Horn. Well, which reminds me on this situation, if 
that's so, are our defense attaches educated and trained that 
this is a real problem? Where in our Embassy should we have 
somebody that can deal with this?
    Mr. Schaeffer. I think we are continuing to educate and 
raise the awareness of the defense attaches around the world. 
But--there are levels of understanding to the problem and many 
of the issues that we deal with are down in the nuances of 
exactly what happened and how and where, and that takes a depth 
of understanding that is much, much greater than just 
awareness. We continue to pursue that, but--again, we are a 
ways away from having a completely trained and educated cadre 
of folks around the world.
    Mr. Horn. Thank you. Any other thoughts?
    Mr. Balakgie. Just one other comment to the defense attache 
question. Since they are managed out of a difference 
intelligence agency, we do have some procedures that they are 
provided on how to deal and address some cyber issues in terms 
of their role in the Embassies. So there--just to reinforce 
that there is an awareness.
    On a previous question on an international treaty, I would 
echo what some of the other panelists have already stated, and 
that is it would go a long way in at least having the ability 
to reach into some of these other countries when a problem 
occurs and see some legal or law enforcement activities kick 
into gear to help us address some of these issues. So I would 
definitely think that would be highly recommended.
    Mr. Horn. Well, that's a very good point that we cannot 
wait until it happens, we need to get ahead of the game.
    Mr. Brock.
    Mr. Brock. I think you're raising a very interesting point. 
I think there needs to be all sorts of avenues for 
international cooperation. And sometimes if you have a good 
relationship informal things that are flexible work very well 
when you have a good understanding, but when you don't have a 
good understanding that sometimes more formal arrangements 
really force you to lay out the issues in ways of dealing with 
them.
    Another area that could lead to interesting discussions as 
well, just as you have arrangements, treaty arrangements on 
weapons of mass destruction for chemical and biological 
warfare, there might be a point some time where you would want 
to consider such treaties that would prevent using cyber 
warfare as a weapon of mass destruction, which it certainly has 
that capability.
    Mr. Horn. It certainly has the capability of scooping up a 
lot of money in one place or the other also. It is amazing what 
can be done. Mr. Molander.
    Mr. Molander. We have tended to call--use the term 
``weapons of mass disruption'' for the context that Mr. Brock 
spoke about. I think the proposed convention would go a long 
way in a dimension that Mr. Schaeffer mentioned, which was get 
a taxonomy that could be used by someone. There is an 
extraordinary language problem. One sees it in law enforcement 
and in critical infrastructure protection. It also will help to 
get ready for the point where one deals with the difference 
between is this crime or is this war? And I think that's an 
interface that is a real challenge for I think every country 
because every country handles matters differently.
    We have a fourth amendment; other countries don't. And the 
possibility of having an international convention that covers 
acts of war through or using cyber space was introduced a 
couple of years ago at the U.N. by the Russians. One of the 
reasons it probably did not go anywhere is that unlike 
biological weapons and chemical weapons, where there is an 
international consensus on not using those weapons as weapons 
of warfare, there is no such consensus on nuclear weapons. What 
consensus might emerge on using cyber weapons or whatever you 
want to call them against infrastructures, for example, is a 
long way off, and I think until there is some common goal that 
people can all endorse trying to write a treaty, and we ran an 
exercise one time that said write me the first article of the 
treaty, I've had treaty experience. Write me the first article 
and then tell me what goal that article is going to advance you 
toward. And that left everyone mute.
    Mr. Horn. Well, that reminds me in my university President 
days, I learned do not be the Alpha project in a computer 
operation. Go way back and be the last one, the Zebra project. 
And a lot of our problems in our own domestic government have 
been because they did not have good management at it and they 
are constantly reinventing the wheel and this is too dangerous 
to be reinventing the wheel unless it is going in a decent 
direction. Mr. Pescatore, any thoughts on this?
    Mr. Pescatore. I would echo the importance of a global 
treaty or agreement on the difference between crime and 
warfare. We can certainly spin a scenario of an environmental 
group in India attacking U.S. banking systems in cyber warfare 
that appears to come from China, what is the response? Is it 
crime? Is it warfare? What is the common definition between the 
two and agreed upon responses? I think that will be a major 
problem in the future.
    Mr. Horn. In our closing here, if there is any questions 
that any of you would like to ask others while they are here, 
this is a pretty talented group, so if say the General 
Accounting Office that works for Congress throughout the world, 
if you have any questions, Mr. Brock, that we've missed along 
the line, feel free to ask something, and the same with our 
guests.
    Mr. Brock. We are actually doing a review of both Mr. 
Schaeffer's operation and Mr. Vatis's operation now. So we have 
been exercising our opportunities to introduce them and the 
results of those should be available next spring, and hopefully 
we will have another opportunity to share the results of that.
    Mr. Horn. We would be glad to see it.
    Let me just thank the staff that have helped on this J. 
Russell George, our staff director, chief counsel. Ben Ritt is 
to my left, your right, he is on detail to us from the General 
Accounting Office. Bonnie Heald, director of communications, 
Bryan Sisk, clerk, Elizabeth Seong, staff assistant, William 
Ackerly and Davidson Hulfish, interns, and for Mr. Turner's 
staff, Trey Henderson, counsel, to my right and your left, and 
Jean Gosa, minority clerk, and Joe Strickland, we thank you and 
your colleague, Colleen Lynch, our court reporters.
    I think that this has been very productive, at least for 
us, and I hope it has to some degree for you. I thank each of 
our witnesses today. Some of you have traveled great distances 
to be here. Your testimony has been very helpful to this 
subcommittee as we continue our oversight of computer security 
issues in the United States.
    As all of you are aware, the national and international 
remediation efforts associated with Y2K were well coordinated 
and highly successful, but that was after congressional 
oversight when they finally got around to it and it worked out. 
But this is a situation where you can't drift for the years 
that we had drifted on Y2K. Y2K provided us with a snapshot of 
our Nation's interdependence, and intradependence. This soaring 
number of cyber attacks provides us with an entire photo album 
and we need the same, in the United States at least, Y2K-type 
of focus on this issue that we did on that issue.
    Each of our governments must have a matrix in place to 
ensure the security of its critical infrastructure. This 
subcommittee is in the process of developing a system to gauge 
the progress of our Federal agencies in protecting their 
computer systems against these attacks. We will be examining 
that progress in September.
    We have asked the Comptroller General of the United States, 
who heads the General Accounting Office, to be looking at all 
of the computers's hardware as well as the software throughout 
the Federal Government. We are way behind in a lot of 
computing. We are still in the sixties in some parts, and many 
of you are way ahead of us.
    So each of our governments must have a matrix in place to 
ensure the security of its critical infrastructures.
    This subcommittee is in the process of developing a system, 
as I said, to gauge the matter, just as we did on Y2K, and when 
we come back from the August recess we'll be looking at this 
matter again.
    Beyond this domestic challenge, we all must begin 
addressing the need for well-coordinated, international 
structure that can provide timely and accurate information to 
those who need it. On behalf of the subcommittee and the 
Committee on Government Reform generally, I thank you for your 
insight, your time, and your participation.
    So have a wonderful trip home and we appreciate your coming 
and spending your talents with us. We are now adjourned.
    [Whereupon, at 3:03 p.m., the subcommittee was adjourned.]
    [Additional information submitted for the hearing record 
follows:]
[GRAPHIC] [TIFF OMITTED] T4152.129

[GRAPHIC] [TIFF OMITTED] T4152.130

[GRAPHIC] [TIFF OMITTED] T4152.131

[GRAPHIC] [TIFF OMITTED] T4152.132

[GRAPHIC] [TIFF OMITTED] T4152.133

[GRAPHIC] [TIFF OMITTED] T4152.134

[GRAPHIC] [TIFF OMITTED] T4152.135

[GRAPHIC] [TIFF OMITTED] T4152.136

[GRAPHIC] [TIFF OMITTED] T4152.137

[GRAPHIC] [TIFF OMITTED] T4152.138

[GRAPHIC] [TIFF OMITTED] T4152.139

[GRAPHIC] [TIFF OMITTED] T4152.140

[GRAPHIC] [TIFF OMITTED] T4152.141

[GRAPHIC] [TIFF OMITTED] T4152.142

[GRAPHIC] [TIFF OMITTED] T4152.143

[GRAPHIC] [TIFF OMITTED] T4152.144

[GRAPHIC] [TIFF OMITTED] T4152.145

[GRAPHIC] [TIFF OMITTED] T4152.146

[GRAPHIC] [TIFF OMITTED] T4152.147

[GRAPHIC] [TIFF OMITTED] T4152.148

[GRAPHIC] [TIFF OMITTED] T4152.149

                                   -